Securing  credit  cards 

Much  debated  PC1 1.2  standard  issued;  next 
up  is  end-to-end  encryption  and  virtualization 
security.  Page  12. 


Gas  shortage  spurs  telework  in  southeast  U.S. 

Gas  shortages  in  the  southeastern  United  States  are  prompting 
companies  to  consider  expanding  their  telework  programs,  as 
well  as  boosting  carpool  and  public  transit  use.  Page  16. 


IBM’s  p 

security  pf  jjj 

Big  Blue  ...  ™ 
protects 

its  intellectual  prop¬ 
erty  using  its  own 
security  technolo¬ 
gies.  IBM  also  is 
working  to  embed 
antivirus  and  firewall 
features  in  all  of  its 
software  products, 
says  software  chief 
Steve  Mills.  Page  10. 


CA  gets  automated 

CA  this  week  will  roll 
out  a  data  center 
automation  product 
designed  to  let  cus¬ 
tomers  automate 
systems  monitoring 
and  resource  provi¬ 
sioning.  Page  14. 


Microsoft  to  float 
cloud  OS 

Microsoft  at  the  end 
of  the  month  will 
unveil  its  “Cloud 
OS,"  the  secret  Ray 
Ozzie  project  that 
provides  a  virtual 
Windows  operating 
system  platform  for 
the  rapid  develop¬ 
ment,  deployment  and 
maintenance  of 
Internet  services  and 
applications. 

Page  20. 


WiMAX  seen 

mustering 

momentum 

BY  BRAD  REED 

CHICAGO  —  The  WiMAX  in¬ 
dustry  last  week  gave  U.S.  corpo¬ 
rations  hope  that  the  high-speed 
wireless  data  technology  might 
become  a  bona  fide  service 
option  sooner  rather  than  later. 

Last  Monday,  Sprint  Nextel’s 
much-anticipated  Xohm  net¬ 
work  went  live  in  Baltimore, 
marking  the  first  time  a  major 
carrier  has  offered  mobile 
WiMAX  services  in  the  United 
States.  On  the  heels  of  that,  a  slew 
of  vendors  showed  off  gear  to 
work  with  such  services  at  the 
annual  WiMAX  World  confer¬ 
ence  in  Chicago. 

“We  have  a  time-to-market  ad¬ 
vantage  that  is  ours  to  lose,”  Wi¬ 
MAX  Forum  President  Ron  Res¬ 
nick  told  attendees  during  his 
opening  keynote  address. 

As  a  wireless  data  standard 
that  operates  in  the  2.5GHz  fre¬ 
quency  band,  WiMAX  can 
achieve  speeds  as  fast  as  10Mbps 
over  a  span  of  6  miles  in  some 
areas.  Baltimore’s  WiMAX  net¬ 
work  will  have  more  modest 
speeds  to  start,  topping  out  with 
download  speeds  in  the  2M  to 
4Mbps  range,  but  early  reviews 
proved  positive. 

On  the  WiMAX  World  show¬ 
room  floor,  several  device  ven¬ 
dors  gave  attendees  an  idea  of 
See  WiMAX,  page  40 
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Connect  your  mobile  users 
without  disconnecting 
your  PBX. 


Move  your  mobile  workforce  over 
to  VoIP  using  innovative  software  from 
Microsoft.  Software  that  integrates 
with  Windows  Server"  Active  Directory 
services,  Microsoft  Office,  and 
Microsoft  Exchange  Server.  Keep  your 
existing  PBX  hardware  and  still  get  new 
voice  capabilities  like  drag-and-drop 
conferencing,  anywhere  access,  and 
click-to-call  functionality  from  familiar 
desktop  applications. 

A  software-powered  VoIP 
solution,  based  on  Microsoft  Office 
Communications  Server  2007,  helps  you 
increase  the  productivity  and  flexibility 
of  your  workforce — especially  your 
mobile  users.  Empower  your  people 
with  better  connectivity,  leave  the 
PBX  plugged  in.  Learn  more  at 
microsoft.com/voip 
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THE  BEST  OFFENSE 
AGAINST  ROGUE  APs  IS 
A  SUPERIOR  DEFENSE. 

SO  WE  TEAMED  UP  WITH 

Tl/C  RFCT 
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IS 
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>  Motorola  and  AirDefense  have  come  together 
to  secure  your  wireless  enterprise. 


You  know  rogue  APs  are  out  there  -  providing  an  open  door  to  access  your  wireless  enterprise  and  exposing 
precious  data  assets  to  theft  and  misuse  -  but  they're  nearly  impossible  to  distinguish  from  the  thousands  of 
legitimate  neighboring  APs.  Fortunately,  Motorola  and  AirDefense  have  officially  joined  forces  after  a  long  and 
successful  partnership.  That  means  one  call  is  all  it  takes  to  do  what  no  other  security  provider  can:  automatically 
identify  and  exterminate  the  rogue  APs  threatening  your  wireless  enterprise  -  regardless  of  hardware  platform. 

See  how  the  Motorola  AirDefense  Solution  can  help  secure  your  wireless  enterprise. 
Gill  (866)  611-9337  or  visit  motorola.com/airdefense 
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COOLTOOLS 

■  RealDVD  software  lets  users  copy 
their  DVDs  to  a  hard  drive  so  they  can 
be  viewed  on  a  computer. 

See  Cool  Tools,  page  26. 
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GOODBADUGLY 

Hypervisor  giveaway 

Following  a  similar  move  by  virtualiza¬ 
tion  leaderVMware  in  August,  Microsoft 
last  week  released  a  free,  low-footprint 
version  of  its  Hyper-V  virtualization 
software  as  it  continues  to  chase  its 
rival.  Hyper-V  Server  2008  includes  only 
the  Windows  Hypervisor,  Windows 
Server  driver  model  and  virtualization 
components. 

Suspect  e-passports 

The  data  on  the  radio  chips  in  so-called 
e-passports  can  be  cloned  and  modi¬ 
fied  without  detection,  representing  a 
gaping  security  hole  in  next-generation 
border-control  systems,  according  to 
security  researchers.  Upwards  of  50 
countries  are  rolling  out  passports  with 
embedded  RFID  chips  containing  bio¬ 
metric  and  personal  data  to  cut  down 
on  fraudulent  passports  and  strengthen 
border  screenings,  but  many  of  them 
are  not  complying  yet  with  digital  cer¬ 
tificate  protocols. 

Lies,  ties,  lies. 

Employees  are  more  likely  to  lie  via  e- 
mail  than  by  other  means  of  communi¬ 
cations,  according  to  research  jointly 
conducted  at  Lehigh  University, 

Rutgers  and  DePaul. 

"There  is  a  growing 
concern  in  the  work¬ 
place  over  e-mail  com¬ 
munications,  and  it 
comes  down  to  trust,' 
says  Liuba  Belkin, 
co-author  of  the 
study. 


P  ILL 


A  snapshot  of  how  networkworld.com 
visitors  voted  on  a  key  networking  issue 
last  week: 

Is  your  IT  staff  prepared  to  keep  the 
network  running  during  a  pandemic? 


Not 

sure 

19% 


Yup,  no 
problem 
31% 


Total  voters  for  this  poll:  78 

Vote  and  discuss:  www.nwdocfinder.com/6935 
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PEERSAY 


Microsoft  NAP  will  win 

Re:  Microsoft’s  NAC  comes  out  on  top 
(www.nwdocfinder.com/6922): 

I  think  Forrester  Research  got  it  right: 
Microsoft  is  “near-ubiquitous”  in  the  large  en¬ 
terprise,  which  this  report  covers.  When  one  of 
the  enterprise  NAC  challenges  is  deploying  a 
vendor’s  big,  ugly  NAC  client,  Microsoft  clearly 
has  the  advantage  with  NARand  it  already  has 
surpassed  anyone  in  number  of  client  deploy¬ 
ments.  Cisco’s  NAC  deployment  assumes  a 
Cisco  Powered  Network,  a  non-starter  for 
many  companies.  I  disagree  with  Forrester  on 
one  point,  that  software-based  NAC  will  be  suc¬ 
cessful.  It’s  pretty  clear  to  me  that  the  last  thing 
any  customer  wants  is  Yet  Another  Agent. 

Todd  Hooper 

Discuss  at  www.nwdocfinder.com/6923 

Feet  on  the  ground  still 
important 

Re:  Biometrics  help  U.S.  soldiers  fight  terror¬ 
ism  (www.nwdocfinder.com/6924): 

While  your  article  was  interesting,  you  were 
in  error  on  an  important  fact.  The  1,722  cap¬ 
ture/kills  claimed  by  the  U.S.  Special  Opera¬ 
tions  Command  were  mostly  the  work  of  sol¬ 
diers  and  marines  using  biometric  toolkits 
and  handheld  identification  equipment. Their 
biometric  collections  numbered  almost  2  mil¬ 
lion  during  the  time  when  SOCOM  was  col¬ 
lecting  its  28,000.  The  two  capture/kills  a  day 
attributed  to  SOCOM  by  many  at  the  Bio¬ 
metric  Consortium  Conference  are  in  fact 
mostly  the  work  of  conventional  soldiers  and 
marines  by  sheer  fact  of  numbers. 

Jerry  D.  Jackson  Jr.,  EIT 

Senior  program  manager,  defense  biometrics 

Lockheed  Martin 

Discuss  at  www.nwdocfinder.com/6925 

Fighting  viruses  the  open 
source  way 

Re:  Enterprises  overpay  for  antivirus  soft¬ 
ware,  says  analyst  (www.nwdocfinder.com 
/6926):  What  we  lack  is  a  valid  open  source, 
collaborative,  managed  option  to  at  least  com- 
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pete  with  the  current  crop  of  commercial 
applications.  There  are  tons  of  great  open 
source  and  other  products,  but  the  abstraction 
is  missing  to  be  able  to  manage  them,  which 
hinders  compliance. 

As  a  concept,  we  could  look  to  something 
like  Herdict  from  the  Berkman  Center  for 
Internet  &  Society  as  a  management  layer 
coupled  with  a  miniature  version  of  the  [Inter¬ 
face  for  Metadata  Access  Point]  implementa¬ 
tion.  Looking  at  that  concept,  we  could  get  the 
valid  competitor  with  plug-ins  and  so  forth 
that  would  enable  more  agility  without  having 
to  always  wait  for  the  commercial  companies 
to  tell  you  it  is  OK  to  move  forward. 

David  O' Berry 

Discuss  at  www.nwdocfinder.com/6927 

A  Google  phone  believer 

Re:  The  G1  vs.  the  iPhone  (www.nwdocfind 
er.com/6928): 

Based  on  all  I’ve  read,  I  would  choose  the  G- 
phone,  primarily  for  the  Linux  platform  and 
openness.The  article  did  not  address  storage, 
and  I  think  this  is  important  to  some  people. 
The  article  does  not  state  how  much  storage 
the  G-phone  has,  or  whether  or  not  it  has  the 
ability  to  have  storage  added  via  memory 
card.  We  know  the  iPhone  comes  in  8GB  and 
16GB  models.  Some  people  may  prefer  the 
iPhone  for  its  known  storage  capabilities.  Also, 
battery  life  was  not  addressed,  but  I  suspect 
that  is  due  to  not  having  devices  to  test  with. 

Toby  Fruth 

Discuss  at  www.nwdocfinder.com/6928 

Oh,  so  now  the  feds  want  to 
get  tough 

Re:  Feds  tighten  security  on  .gov  (www.nw 
docfinder.com/6929): 

The  feds  have  been  the  biggest  obstacle  to 
getting  Domain  Name  System  Security  Ex¬ 
tensions  widely  implemented.  Part  of  this  was 
during  the  crypto  rights  wars  of  the  1990s,  but 
since  then  they’ve  also  been  obstructing  it. 

In  1998,  the  Bureau  of  Export  Administration 
blocked  the  publishing  of  DNSSEC  reference 
software  because  it  included  the  RSA  algo¬ 
rithm  and  that  algorithm  could  have  been 
used  for  encryption,  even  though  the  DNSSEC 
implementation  only  used  it  for  signatures. 
Since  then,  they’ve  been  directly  (or  indirectly 
through  the  Internet  Corporation  for  Assigned 
Names  and  Numbers)  delaying  getting  the 
DNS  root  signed.That  makes  it  more  difficult  to 
use  DNSSEC  even  with  top-level  domains  that 
are  signed  (a  few  countries  have  signed 
theirs).  There’s  also  a  conflict  of  interest 
between  DNSSEC  promoters  and  SSL  certifi¬ 
cate  sellers,  which  hasn’t  helped. 

Bill  Stewart 

Discuss  at  www.nwdocfinder.com/6930 

E-mail  letters  to  jdix@nww.com  or  send  them 
to  John  Dix,  editor  in  chief,  Network  World,  492 
Old  Connecticut  Path,  Framingham,  MA  01 701- 
9002.  Please  include  phone  number  and  address 
for  verification 
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Follow  these  links  to  more  resources  online 


I BLOGOSPHERE 


■  Computer  kleptomaniac  steals  from 
Navy  and  Marine  Corps  lab.  Richard 
Stiennon  writes  in  his  Stiennon  on  Security 
blog,  "Police  have  arrested  an  IT  worker 
from  the  Navy  and  Marine  Corps  Naval 
Research  Lab.  A  call  from  his  wife  led  them 
to  his  home  where  they  discovered  over 
19,000  items  that  he  had  stolen  from  the  lab 
over  the  years.  Prosecutors  value  his  hoard 
of  CDs,  hard  drives,  floppy  disks  and  zip  dri¬ 
ves  at  $1.6  million.  Of  course  that  valuation 
is  ridiculous  as  old  hard  drives  are  pretty 
much  worthless.  But  think  of  the  data  loss 
nightmare!  Some  guy  suffering  from 
Murphy's  Pencil  Problem  accumulates  two 
decades  worth  of  data  storage  from  your 
organization  containing  who  knows  what 
kinds  of  confidential  information." 
www.nwdocfinder.com/6931 

■  Google  creates  its  own  energy-inde¬ 
pendence  plan.  The  Google  Subnet  blog 
reports:  "Citing  a  lack  of  government  lead¬ 
ership,  Google  CEO  Eric  Schmidt  unveiled  a 
sweeping,  $4.4  trillion  plan  to  wean  the  U.S. 
off  of  foreign  oil  and  other  'dirty'  energy 
sources  and  become  energy-independent  by 
2030. The  plan  involves  moving  away  from 
coal  and  instead  turning  to  wind,  solar  and 
geothermal  power.  It  also  cuts  oil  use  in  cars 
by  40  percent  by  ramping  up  usage  of  hybrid 
and  electric-powered  vehicles.  Though 
expensive,  the  Clean  Energy  2030  plan  will 
eventually  result  in  cost  savings,  Schmidt 
says  www.nwdocfinder.com/6932 

■  Determining  who  is  using  brain- 
dumps  isn’t  straightforward.  Randy 
Muller  writes  in  his  All  about  Microsoft 
Certifications  blog,  "I  was  talking  with  a 
group  of  students  about  what  they  used  to 
help  pass  the  70-236,  Configuring  Exchange 
Server  2007.  Given  that  this  was  a  largish 
group  of  students  and  that  there  was  a  lot  of 
senior  management  “interest”  in  their  per¬ 
formance,  I  expected  to  see  several  brain- 
dumps  —  and  yet,  none  were  used.  I  was 
surprised  at  this  on  several  accounts  given 
the  pressure  this  group  was  under.  Instead, 
the  students  were  very  conscientious  in 
preparing  for  this  test.  They  worked  in 
excess  of  12  hours  a  day  going  through  var¬ 
ious  legitimate  test  preparation  software 
packages  and  reviewing  course  material. 
They  also  had  several  review  sessions  with 
different  instructors  to  help  prepare  them 
for  the  test.  They  also  quizzed  each  other 
from  several  sources.  I  mention  all  these 
different  preparation  measures  to  show  that 
there  is  not  one  way  that  has  to  be  used  (or 
that  can  be  used)  to  prepare  for  a  test." 
www.nwdocfinder.com/6933 


HTC  Touch 
Diamond:  Lipstick 
on  a  pig? 

Keith  Shaw  borrows  a 
phrase  from  the  elec¬ 
tions  in  looking  at  the 
HTCTouch  Diamond 
phone  from  Sprint.  Sure 
it's  iPhone  like,  but  does 
it  compete? 

\www.nwdocfinder.com/6939 


Murata's  unicycling 
robot 

The  CEATEC  2008 
show  kicks  off  with  a 
look  at  Seiko,  a  robot 
that  can  balance  on  a 
single  wheel.  Developed 
by  Murata,  Seiko  shows 
off  the  company's  com¬ 
ponents. 

www.nwdocfinder.com/6940 


Find  Wi-Fi  with 
WiFinder 

Our  new  video  series 
on  cool  iPhone  applica¬ 
tions  features  WiFinder, 
which  provides  an  easy 
way  to  find  available 
access  points  and  how 
easy  it  is  to  connect. 

www.nwdocfinder.com/6941 
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How  data  forensics  help  root 
out  certification  cheaters 


Tech  exec:  There’s  nothing  quite  like  stirring 
the  pot  of  controversy.  Last  month,  Linda 
Musthaler’s  Cache  Advance  column 
addressed  the  issue  of  cheating  on  certifica¬ 
tion  exams.  Specifically  she  said  that  using 
"study  aids"  (i.e., stolen  exams)  that  come 
from  braindump  Web  sites  could  put  a  certifi¬ 
cation  candidate  at  risk  of  being  accused  of 
cheating.The  column  was  intended  to  inform 
people  that  many  certifying  agencies  are  now 
using  data  forensics  to  analyze  test  responses 
and  look  for  extremely  unusual  behavior.  As  it 
turns  out,  people  who  use  braindump  materi¬ 
als  often  fall  into  this  category  The  ultimate 
penalty  for  cheating  could  be  loss  of  certifica¬ 
tion  with  negative  employment  conse- 
quences.This  assertion  led  to  a  reader  back¬ 
lash,  with  some  people  suggesting  that  the 
forensic  analysis  is  inaccurate  and  would 
ensnare  people  who  did  not  cheat  in  any  way 
shape  or  form.  Anonymous  readers  posted 
comments  such  as  these: 

•  “...who  validates  the  forensics?  In  any 
investigation,  there  are  always  false  positives. 
Legitimate  people  (even  if  only  a  few)  will  be 
caught  unfairly.  How  will  this  be  policed?” 

•  “Has  anyone  else  seen  or  heard  of  this?  Is 
the  Microsoft  cheating,  a  rediculous  [sic]  red 


herring?  Or  is  there  some  kind  of  official  [sic] 
document  saying  if  you  get  all  the  answers 
right  you’ll  be  banned?” 

www.nwdocfinder.com/6936 

Training:  Layoffs  seem  to  be  coming  fast 
and  furious  these  days,  with  thousands  of 
jobs  expected  to  be  lost  at  companies  like 
Lehman  Bros,  and  Merrill  Lynch.  At  HP 
alone,  24,600  layoffs  are  in  the  cards. 
Obviously,  many  of  these  layoffs  will  leave  IT 
workers  without  jobs,  so  how  should  newly 
unemployed  tech  pros  go  about  searching 
for  a  new  position?  To  get  some  advice,  I 
interviewed  Janice  Weinberg,  a  former  IT  pro 
and  career  consultant  based  in  Westport, 
Conn.,  who  recently  wrote  a  book  called 
Debugging  your  Information  Technology 
Career:  A  Compass  to  New  and  Rewarding 
Fields  that  Value  Computer  Knowledge. 
Weinberg  said  her  most  important  piece  of 
advice  is  to  conduct  an  active  job-hunting 
campaign.  While  this  may  seem  obvious  on 
the  surface, Weinberg  says  many  job  hunters 
are  content  to  simply  answer  job  ads  and 
wait  by  their  phone  or  computer  for  a 
response  that  might  never  come. 
www.nwdocfinder.com/6937 
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Vendors  fixing  bug  that 
could  crash  ’Net  systems 

Internet  infrastructure  vendors  are  working  on  patches  for  a  set  of  security  flaws 
that  could  help  hackers  knock  servers  offline  with  very  little  effort.  Technical 
details  on  the  vulnerabilities  have  not  been  released,  but  the  security  experts 
who  discovered  the  problem,  Robert  Lee  and  Jack  Louis  of  security  vendor 
Outpost24,say  they  can  knock  Windows,  Linux,  embedded  systems  and  even  fire¬ 
walls  offline  with  a  denial-of-service  attack.  The  flaws  lie  in  the  TCP/IP  software 
used  by  these  systems  to  send  data  over  the  Internet.  Lee  and  Louis  first  discussed 
the  problem  at  a  conference  in  Amsterdam,  and  many  of  the  affected  vendors  are 
working  on  patching  the  issue  with  help  from  the  Finnish  national  Computer 
Emergency  Response  Team.  In  a  statement,  Microsoft  said  it  was  investigating  the 
matter  and  that  it  was  “unaware  of  any  attacks  trying  to  use  the  claimed  vulnera¬ 
bility  or  of  customer  impact.”  www.nwdocfinder.com/6943 


AMD  says  Shanghai  won’t  be  another 
Barcelona.  Advanced  Micro  Devices  said  its 
four-core  Shanghai  processor  is  on  track  to 
ship  in  servers  by  year-end  and  sought  to  re¬ 
assure  customers  that  the  problems  that  de¬ 
layed  its  previous  server  chip,  Barcelona,  are  a 
thing  of  the  past.  AMD  halted  sales  soon  after 
it  shipped  the  first  quad-core  Barcelona  pro¬ 
cessors  last  September  when  a  bug  was 
found  in  the  chip’s  cache  memory  Pat  Patla, 
general  manager  of  AMD’s  server  and  work¬ 
station  group,  said  the  first  Shanghai  chip,  a 
“mainstream”  processor  running  at  75  watts, 
will  be  available  in  servers  in  the  fourth  quar¬ 
ter.  Two  other  models  will  ship  in  the  first 
quarter  next  year:  a  low-power,  55-watt  version 
for  blade  servers,  and  a  high-power,  105-watt 
version  for  large, “number-crunching” 
machines.  AMD,  which  has  been  struggling 
financially,  is  expected  to  announce  a  plan 
soon  to  spin  off  its  chip  fabrication  plants  in 
order  to  lower  its  capital  costs. 
www.nwdocfinder.com/6944 

Enterasys/Siemens  combo  gets  a  CEO. 

Siemens  Enterprise  Communications,  the 
new  joint  venture  between 
The  Gores  Group  and 
Siemens  AG,  has  named  30- 
year  technology  industry 
veteran  James  O’Neill  as  its 
CEO.  O’Neill,  54,  is  a  native 
of  Ireland  who  became  an 
American  citizen  in  1976. 

He  most  recently  served  as 
CEO  of  CompuDyne,a  provider  of  products 
and  services  to  the  public  security  market. 
CompuDyne  also  is  owned  by  Gores,  which 
acquired  a  51%  stake  in  Siemens  Enterprise 
Communications  in  a  $550  million  deal 
announced  on  Sept.  30.  Gores  plans  to  com¬ 
bine  Siemens  Enterprise  Communications 
with  its  Enterasys  and  SER  Solutions  compa¬ 
nies.  O’Neill’s  priorities  will  include  merging 


these  three  holdings  into  a  multibillion  dollar 
global  supplier  of  enterprise  VoIR wireless 
LAN,  Ethernet  switching  and  call  center  prod¬ 
ucts.  www.nwdocfinder.com/6945 

Three  indicted  in  IT  procurement  scan¬ 
dal.  An  IT  consultant  and  two  employees  of  a 
Boston  hospital  holding  company  face 
bribery  charges  in  connection  with  the  way 
the  healthcare  concern  funneled  software, 
hardware  and  consulting  contracts  to  his 
company  Brian  Colpak,  owner  of  Future  Tech, 
allegedly  won  “several  hundred  thousand  dol¬ 
lars”  in  contracts  by  agreeing  to  pay  kickbacks 
to  the  employees  of  Partners  Healthcare, 
which  owns  Massachusetts  General  Hospital, 
Brigham  and  Women’s  Hospital  and  the  Dana 
Farber  Cancer  Institute,  according  to  the 
Massachusetts  Attorney  General’s  office.  Pro¬ 
secutors  charge  that  Partners  IT  employees 
John  DiMille  and  John  Cleary  began  directing 
work  to  Future  Tech  in  2003. The  Attorney 
General’s  office  says  it  began  investigating  last 
year,  after  hospital  officials  contacted  them. 
www.nwdocfinder.com/6946 

Sun  goes  commercial  with  OpenSSO. 

Sun  last  week  released  a  commercial  version 
of  OpenSSO  offering  full  support  and  indem¬ 
nity  as  it  works  towards  its  promise  to  open 
source  all  its  software.  OpenSSO  is  a  set  of 
Java-based  technologies  that  include  single 
sign-on,  access  management,  federation  and 
secure  Web  services.  Sun’s  OpenSSO  Enter¬ 
prise  aligns  with  the  OpenSSO  project,  which 
produces  software  known  as  OpenSSO  Ex¬ 
press.  Users  who  buy  into  OpenSSO  Enter¬ 
prise  will  get  support  and  indemnity  on  both 
the  commercial  and  open  source  versions, 
where  new  features  are  added  at  a  more 
rapid  clip.  Sun  is  following  a  popular  open 
source  development  method  by  aligning  an 
open  source  project,  which  functions  much 
like  a  living  beta,  with  a  supported  commer¬ 


cial  version  of  the  same  software.  Sun  uses 
the  same  model  with  MySQL. 

www.nwdocfinder.com/6947 

Security  researcher  reveals  iPhone 
flaws.  Apple’s  iPhone  has  two  design  flaws 
that  could  pose  potential  security  problems, 
according  to  a  researcher. The  first  one  con¬ 
cerns  the  iPhone’s  email  application,  which 
automatically  downloads  images  within  an  e 
mail,  security  researcher  Aviv  Raff  said. That’s 
problematic  because  the  image  will  refer 
back  to  a  server-side  script  when  it  is  down¬ 
loaded,  indicating  to  the  sender  that  the 
e-mail  address  is  valid  —  and  can  be 
spammed. The  second  design  flaw  is  how  the 
iPhone’s  e-mail  application  displays  URLs.  In 
HTML  mode,  a  user  can  get  an  e-mail  where 
the  text  of  the  link  is  different  than  the  actual 
link.The  true  link  can  be  displayed  by  hover¬ 
ing  over  the  text,  but  the  pop-up  window  trun¬ 
cates  the  URL.  An  attacker  could  create  a  Web 
site  with  a  long  subdomain  to  fool  a  user  into 
thinking  a  phishing  site  is  a  legitimate  site. 
www.nwdocfinder.com/6948 

Computer  users  lack  basic  security 
precautions.  Cybersecurity  efforts  in  the 
U.S.  government  and  many  businesses  are 
improving,  but  many  individual  computer 
users  still  don’t  take  basic  precautions  against 
cyberattacks.  More  than  90%  of  computer 
users  surveyed  have  antivirus  software  in¬ 
stalled  and  updated  and  82%  have  antispy¬ 
ware  protection, said  Adam  Rak,  Symantec’s 
senior  director  of  public  affairs.  But  only  42% 
of  users  who  allowed  Symantec  to  scan  their 
computers  had  firewalls  installed  and 
enabled,  and  58%  had  antispam  protections. 
Eighty-one  percent  of  those  surveyed  said 
they  believed  they  had  firewall  software  in¬ 
stalled,  and  75%  said  they  believed  they  had 
antispam  protections,  Rak  said. “What  we 
have  is  a  perception-vs.-reality  issue  here,”  he 
said,  www.nwdocfinder.com/6949 

Microsoft  updates  desktop  manage¬ 
ment  tools.  Microsoft  has  released  the  next 
version  of  its  desktop  management  toolset  for 
IT  that  includes  updates  to  its  application  vir¬ 
tualization  and  asset  management  tools. 
Microsoft  Desktop  Optimization  Pack  is 
designed  specifically  to  help  IT  administrators 
manage  collections  of  Windows  desktops, 
including  Vista  SPl.It’s  comprised  of  software 
from  Microsoft’s  purchases  of  Softricity  Kidaro, 
AssetMetrix.Winternals  Software  and  Desktop- 
Standard,  and  it’s  a  big  part  of  Microsoft’s 
Optimized  Desktop,  which  addresses  central¬ 
ized  management  and  deployment  of  both 
physical  and  virtual  resources.  New  to 
MDOP  2008  R2  is  App-V  4.5,  which  lets  users 
package  applications  in  “containers,”  then 
stream  those  containers  to  desktops,  devices 
or  shared  PCs. 

www.nwdocfinder.com/6951 


www.networkworld.com  •  OCTOBER  6,  2008  •  9 


NEWS  ANALYSIS 


IBM  protects  key  technologies 


BY  JON  BRODKIN 

BOSTON  —  IBM  software  chief  Steve  Mills 
receives  a  monthly  report  on  employees  and 
contractors  who  have  left  IBM,  as  well  the 
actions  taken  to  close  off  their  access  to  sen¬ 
sitive  information  as  soon  as  they  walk  out 
the  door.  Ideally,  the  very  second  a  person’s 
affiliation  with  IBM  ends,  that  person’s  active 
identity  within  the  business  and  all  pass¬ 
words  will  be  wiped  out,  removing  any 
access  to  intellectual  property 

“I  look  at  this  every  month,”  Mills  said 
Wednesday  in  a  keynote  address  at  an  IBM- 
hosted  security  event.“There  are  some  months 
where  someone  will  leave,  and  the  loss  of  their 
access  will  flop  over  to  the  next  day? 

IBM  considers  that  an  “escape”  in  its  system, 
and  analyzes  what  caused  it  and  what  actions 
are  being  taken  to  prevent  it  from  happening 
again.  It’s  a  huge  priority  because  IBM  has  to 
protect  the  intellectual  property  related  to  its 
software,  and  data  thefts  are  perhaps  most  like¬ 
ly  to  occur  at  the  time  an  employee  or  con¬ 
tractor  leaves  the  business,  Mills  said. 

“This  is  a  very  complex  and  challenging 
problem,”  Mills  said. “It  requires  thinking  about 
it  in  a  very  holistic  way” 

After  his  keynote,  Mills  expanded  on  his 
views  during  an  interview  with  Network  World. 
The  senior  vice  president  and  group  executive 
for  IBM’s  software  business  since  July  2000, 
Mills  has  overseen  the  acquisition  of  more  than 
50  software  companies,  and  manages  about 
50,000  employees  and  business  totaling  40%  of 
IBM’s  profits. 

Electronic  identity  and  the  ability  to  de- 
authorize  people  immediately  when  they 
move  out  of  your  business  are  paramount,  both 
for  employees  and  contractors,  Mills  said. 
Controlling  access  during  the  time  they’re 
employed  requires  effort  too. 

IBM  protects  its  software  code  with  strict 
controls  by  granting  most  workers  only  partial 
access  to  code  libraries,  based  on  their  need 
to  know.  For  example,  only  a  small  number  of 
people  would  need  to  see  all  the  code  related 
to  a  popular  software  product  like  Web¬ 
Sphere,  Mills  noted. 

“We  have  fairly  tight  access  controls  for  our 
code  libraries  to  begin  with,”  Mills  said. “Only  a 
limited  number  of  people  can  get  at  the  entire 
code  itself.” 

IBM  works  with  clients  who  have  had 
angry  ex-employees  or  contractors  cause 
damage  to  electronic  systems,  but  IBM  has 
controlled  its  own  intellectual  property 
“extremely  well”  over  the  years,  Mills  said. 
“Not  unlike  other  companies,  we’ve  cer¬ 
tainly  had  some  suspicious  activity  where 
we’ve  had  to  go  back  in  and  investigate  that, 
no,  people  were  not  doing  anything  we  did¬ 
n’t  authorize,”  he  said. 

IBM's  expertise  in  identity  management  car¬ 


ries  over  to  its  product  offerings,  including 
Tivoli  Identity  Manager  and  Access  Control.  For 
example,  if  an  employee  is  leaving  a  business 
on  a  Friday  at  5  p.m.,  Identity  Manager  allows 
the  employer  to  specify  the  de-authorization 
time  in  advance  so  the  passwords  will  stop 
working  right  then,  Mills  said. 

“When  his  identity  is  gone  all  of  his  access 
and  authorities  will  be  removed,”  Mills  said. 

Single  point  of  entry 

IBM  also  has  worked  on  giving  customers  a 
single  point  of  entry  for  various  authentication 
plans,  including  those  existing  on  other  ven¬ 
dors’  systems. 

‘A  lot  of  our  focus  is  on  federation,” Mills  said. 
Customers  “have  many  different  applications 
from  different  vendors.  They’ve  chosen  differ¬ 
ent  forms  of  authentication  schemes,  they  may 
have  nested  or  embedded  identity  function  in 
those  applications.  How  can  we  layer  on  top  of 
that  in  a  way  that  can  give  them  a  common 
point  of  integration  and  consistency  and  not 
cause  them  to  rip  out  the  systems  and  applica¬ 
tions  they’ve  already  bought?”  he  asked. 

That  single  point  of  access  is  available 
through  Identity  Manager  and  Access  Control. 
IBM  also  added  single-sign-on  technology  to 
Tivoli  earlier  this  when  it  acquired  the  vendor 
Encentuate,  Mills  noted. 

“What  that  acquisition  did  is  widen  our 
capability  to  deal  with  single  sign-on  across 
a  broader  range  of  single  sign-on  scenarios,” 
Mills  said. “Customers  were  saying  they  want¬ 
ed  more  flexibility  and  ease  of  setup  and 
administration.” 

IBM  used  its  security  event  to  discuss  how  it’s 
trying  to  embed  security  features  in  all  its  soft¬ 
ware  products.  Rather  than  selling  only  stand¬ 
alone  security  tools,  the  idea  is  to  build 
antivirus,  firewall,  identity  management  and 
other  types  of  tools  into  such  products  as  Lotus 
Notes,  WebSphere  and  Enterprise  Content 
Management. 

“The  ingredient  of  security  is  essential  to  all 
the  technologies  we  deliver,”  Mills  said. 
“Thousands  of  IBM  programmers  are  working 
on  a  lot  of  features  across  our  portfolio.” 

But  that  doesn’t  mean  we’ll  reach  a  point 
any  time  soon  when  stand-alone  security 
products  are  obsolete,  said  Val  Rahmani,  gen¬ 
eral  manager  of  IBM’s  Internet  Security 
Systems  division.“Not  in  the  short  term.  In  the 
long  term,  who  knows,” she  said. 

With  server  virtualization  gaining  in  impor¬ 
tance  in  IT,  IBM  is  focusing  on  the  security  of 
virtualization,  last  week  offering  a  glimpse  at  a 
Virtual  Intrusion  Prevention  System  appliance 
that  will  operate  in  VMware’s  virtual  machine 
environment;  it’s  expected  to  be  available  early 
next  year. 

Security  related  to  the  virtualization  of  x86 
machines  isn’t  as  mature  as  that  of  mainframe 


virtualization  security  Mills  said.  “IBM’s  virtual 
machine  product  on  the  mainframe  is  well 
known  for  its  security  and  ability  to  uniquely 
isolate  each  one  of  those  virtual  machine 
instances,”  Mills  said. 

Developers  who  work  on  securing  virtualized 
x86  servers  are  still  trying  to  find  the  best  ways 
to  isolate  applications  and  memory  Mills  said. 

“It’s  important  to  never  say  never”  Mills  said. 
“The  challenge  is  given  enough  time,  enough 
resources,  and  the  lack  of  any  triggering  that 
would  lead  someone  to  believe  that  someone’s 
trying  to  do  something  bad,  [hackers]  can 
eventually  figure  out  how  to  break  into  any¬ 
thing,”  he  said.B 


InBrief 

HP  to  buy  LeftHand  Networks 

HP  will  buy  LeftHand  Networks  for  $360 
million  to  fill  in  its  storage-virtualization  and 
iSCSI  lines  with  products  for  midsize  com¬ 
panies  and  remote  offices.  LeftHand  was  an 
early  developer  of  SANs  built  around  iSCSI. 
Among  the  features  of  LeftHand’s  products 
are  data  replication  for  backup  and  disaster 
recovery,  and  an  "intelligent  cloning  technol¬ 
ogy"  that  can  reduce  the  amount  of  required 
disk  space  by  as  much  as  97%,  the  compa¬ 
nies  said.  LeftHand's  products  already  work 
with  many  of  HP’s,  including  ProLiant 
servers,  BladeSystem  platforms,  ProCurve 
networks  and  Insight  Control  management 
software.The  deal  is  expected  to  close  in 
HP's  fiscal  2009  first  quarter,  which  will  end 
in  January. 

Google  proposes  $4.4  trillion 
clean  energy  plan 

Tiring  of  its  mission  to  "organize  the  world's 
information,”  Google  has  set  itself  a  new 
objective:  save  the  planet.The  search  giant 
unveiled  a  $4.4  trillion  plan  to  reduce  U.S. 
dependency  on  fossil  fuels  and  embrace 
alternative  energy.The  proposal  would  yield 
a  net  savings  of  $1  trillion  by  2030  and  slash 
U.S.  carbon  dioxide  emissions  by  48%, 
according  to  Google,  which  said  it  had  been 
busy  “crunching  the  numbers."The  plan 
involves  weaning  the  United  States  off  coal 
for  producing  electricity,  and  turning  to 
wind,  solar  and  geothermal  power  instead.  It 
also  would  cut  oil  use  in  cars  by  40%  and 
use  electricity  for  personal  transportation. 
The  company’s  goal  in  announcing  the  plan, 
called  Clean  Energy  2030,  was  to  stimulate 
debate,  Google  said. 
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»  Want  it  all?  There  is  one  way  to  remain  profitable  and  competitive  while  growing  the 
network  to  meet  user  needs  —  and  still  restrict  non-job  related  access  to  keep  your 
enterprise  safe:  Call  Juniper. 

Juniper  Networks’  security  and  infrastructure  solutions  power  high-performance 
business,  securely  linking  employees,  vendors,  customers  —  everyone  —  with  the 
resources  they  need.  It’s  real-time  applications  and  services  any  time,  all  over  a 
single  network.  With  unprecedented  levels  of  performance,  availability  and  flexibility, 
plus  the  scalability  your  business  model  demands.  Leverage  your  network  —  more 
securely  and  cost-effectively  —  for  greater  productivity.  The  switch  is  on  to  compre¬ 
hensive  network  security:  www.juniper.net/access 
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NEWS  ANALYSIS 

Credit-card  security  gets  stronger 

End-to-end  encryption  and  virtualization  security  on  horizon 


What’s  new  in  the  PC1 1.2  standard 

•  New  wireless  implementations  are  prohibited  from  using  WEP  after  March  31,  2009; 
current  wireless  implementations  are  prohibited  from  using  WEP  after  June  30,  2010. 

•  Code  changes  to  internal  applications  must  be  reviewed  by  individuals  other  than  the 
originating  code  author,  as  well  as  by  knowledgeable  individuals. 

•  Clarified  IDS  vs.  IPS  requirement:  changed  monitoring  scope  from  “all  network  traf¬ 
fic”  to  “all  traffic  in  the  cardholder  data  environment." 

•  When  electronic  media  is  destroyed,  cardholder  data  must  be  rendered  unrecoverable, 
which  can  achieved  via  a  secure  wipe  program  or  by  physical  destruction. 

Source:  PC1 1.2  “Summary  of  Changes”  document  of  the  PCI  Security  Standards  Council 


BY  ELLEN  MESSMER 

The  Payment  Card  Industry  Security  Stan¬ 
dards  Council,  the  organization  that  sets  tech¬ 
nical  requirements  for  processing  credit-  and 
debit-cards,  last  week  issued  revised  security 
rules  and  indicated  that  next  year  it  will  focus 
on  new  guidelines  for  end-to-end  encryption, 
payment  machines  and  virtualization. 

Adherence  to  PCI  rules  could  play  a  key  role 
in  preventing  big  data  thefts,  such  as  the  2005 
TJX  breach,  security  experts  say 

The  PCI  1.2  data  security  standard  seeks  to 
clarify  several  pieces  of  the  earlier  12-part  PCI 
1.1  standard  that  had  many  confused.  Among 
other  things, Version  1.2  clarifies  that  all  operat¬ 
ing  systems  associated  with  card  processing 
have  to  run  antivirus  software;  many  had 
thought  this  was  only  about  Microsoft  Win¬ 
dows.  “That  sounds  like  a  sensible  piece  of 
advice,”  says  Sushila  Nair, product  manger  at  BT, 
who  says  organizations  often  deploy  antivirus 
on  Windows  but  erroneously  believe  Unix, Mac 
and  other  operating  systems  are  somehow  less 
vulnerable.  However,  accommodating  the  clari¬ 
fied  PCI  rule  on  antivirus  in  many  places  will 
be  “expensive,”  she  says. 

One  of  the  biggest  topics  of  debate  at  last 
month’s  PCI  Council  meeting  was  how  to 
determine  what  “network  segmentation” 
means  because  the  standard  is  aimed  at 
devising  technical  methods  to  cordon  off 
where  credit  cards  are  stored  so  that  PCI  com¬ 
pliance  assessment  can  focus  on  the  specific 
parts  of  a  merchants  network  involved  with 
cardholder  data. 

“There  was  a  lot  of  talk  about  network  seg¬ 
mentation,”  says  Sumedh  Thakar,  PCI  solutions 
manager  at  vulnerability-management  and 
policy-compliance  product  company  Qualys. 
“A  lot  of  merchants  were  trying  to  get  answers. 
The  guidelines  now  are  to  restrict  access  using 
firewalls”  he  says. 

The  PCI  1.2  standard  advises  the  use  of  “inter¬ 
nal  firewalls,  routers  with  strong  access  con¬ 
trol”  and  other  network-restricting  technologies 
to  assure  internal  network  segmentation  for 
card-processing  purposes. 

Some  IT  managers  say  the  PCI-based  reviews 
their  organizations  undergo  now  are  based 
already  on  PCI  1.2.  Such  reviews  typically  are 
carried  out  by  PCI  Council-certified  assessors  if 
self-assessment  procedures  aren’t  applicable. 

“It  was  in  draft  form,  so  we  decided  to  use 
that  since  there  seemed  to  be  no  point  in  using 
1 . 1  anymore,”  says  one  IT  manager,  who  pre¬ 
ferred  not  to  be  named.  His  organization  is 
finding  it  very  difficult  to  isolate  the  network  to 
protect  specific  servers  and  applications  asso¬ 
ciated  with  cardholder  data,  plus  monitor  and 
log  according  to  the  PCI  1.2  guidelines, he  says. 

‘There’s  no  way  we  can  log  all  the  stuff  they 


want,”  the  manager  says,  adding  his  organiza¬ 
tion  has  no  choice  but  to  keep  plowing  on  with 
the  assessors  to  make  it  through  the  PCI  audit. 

Vendors  supporting  new  standard 

The  PCI  update  also  is  ushering  in  revised 
products  to  support  it. 

Qualys,  for  example,  last  week  introduced  a 
Web-application  scanning  service  directed  at 
satisfying  the  new  requirement  that  Part  6.6  of 
PCI  1.2  brings  for  testing  public-facing  Web 
applications  for  vulnerabilities  “at  least  ann¬ 
ually  or  after  any  changes.”  An  alternate  tech¬ 
nology  allowed  in  Part  6.6  of  PCI  1.2  would  be 
installing  a  Web  application  firewall. 

One  new  rule  expected  to  affect  merchants 
with  wireless  networks  bans  new  implementa¬ 
tions  of  the  Wired  Equivalent  Privacy  (WEP) 
protocol,  deemed  to  be  too  weak,  after  March 
31,  2009,  and  mandates  that  all  WEP  imple¬ 
mentations  must  be  phased  out  by  June  2010. 
The  Wi-Fi  Protected  Access  standard  is  advo¬ 
cated  in  its  place. 

“WEP  is  going  to  be  the  biggest  issue  the  mer¬ 
chants  face  out  of  this,”  predicts  Bob  Russo, 
general  manager  of  the  PCI  Council. 

Even  as  merchants  and  other  organizations 
processing  credit  cards  pore  over  the  73-page 
PCI  1.2  document  to  figure  out  the  changes, 
they  need  to  know  that  even  more  changes  are 
slated  for  next  year.  The  council  is  developing 
security  guidelines  for  unattended  payment 
terminals,  including  automated  teller  ma¬ 
chines  and  other  types  of  vending  machines 
that  process  payment  cards.  Next  year  there 
will  be  discussion  about  how  security  safe¬ 
guards,  such  as  encryption,  should  be  used  in 
ATMs  for  processing  PINs,  Russo  says. 

End-to-end  encryption  is  likely  to  be  a  central 
focus  as  the  council  seeks  input  on  how  this 
might  best  be  achieved  in  the  payment-card 
environment  through  different  technologies.  If 
that  is  accomplished,  it  might  result  in  a  decid¬ 
edly  new  PCI  standard  in  the  future  for  card- 


data  protection,  Russo  says.“Today  we  say  that 
if  you’re  going  outside  the  network, you  need  to 
be  encrypted,  but  it  doesn’t  need  to  be 
encrypted  internally  he  says.“But  as  an  exam¬ 
ple,  if  you  add  end-to-end  encryption,  it  might 
negate  some  requirements  we  have  todaysuch 
as  protecting  data  with  monitoring  and  log¬ 
ging.  Maybe  you  wouldn’t  have  to  do  that.  So, 
we’ll  be  looking  at  that  next  year?  he  adds. 

Gartner  analyst  Avivah  Litan  says  very  large 
retailers  are  now  looking  at  end-to-end  encryp¬ 
tion  and  would  like  to  go  this  route. “The  coun¬ 
cil  is  years  behind  the  curve,”  she  says,  and  also 
criticizes  the  council  for  failing  to  address  such 
fundamental  issues  as  network  segmentation 
and  network  scope  early  on  and  devising  rules 
that  tend  to  treat  vastly  different  types  of  orga¬ 
nizations  in  the  same  way  The  PCI  rules  have 
treated  “an  e-commerce  retailer  the  same  as  an 
international  store  chain,” she  says. 

Another  area  where  more  standards  could 
emerge  is  in  virtualization,  where  physical 
servers  are  being  replaced  with  multiple  vir¬ 
tual  servers.“How  do  you  protect  these  virtual 
machines?”  Russo  asks.  “We  don’t  know  just 
yet.’Tthe  council, however, hopes  to  try  to  deter¬ 
mine  the  best  approaches  to  protecting  card 
data  in  the  virtual-machine  environment. 

Sometimes  today’s  security  tools,  such  as 
scanners,  aren’t  always  adequate,  vendors 
acknowledge.  Qualys,  for  instance,  says  the 
scanner  it  has  today  can  check  out  the  basic 
IP  address  but  can’t  dig  into  the  virtual- 
machine  applications,  though  it’s  working  on 
new  tools  for  that. 

IBM,  which  last  week  introduced  its  Secure 
Store  program  for  providing  retailers  with  phys¬ 
ical-security  protection  and  compliance  with 
PCI,  also  says  there’s  work  to  be  done  in  virtu¬ 
alization  security 

Virtualization’s  different  way  of  running 
applications  is  causing  “some  blind  spots,” 
acknowledges  Josh  Corman,  principal  security 
strategist  at  IBM’s  ISS  division.  ■ 
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With  APC  InfraStruXure®  Central,  our  suite  of  data  center 
management  software  is  now  fully  vendor  neutral ! 

Your  facility  is  growing  by  the  day,  especially  with  the  proliferation  of  high  density  applications. 
But  when  you  consolidate  servers  to  save  space  and  energy,  you're  raising  the  risk  profile. 

One  false  move,  and  the  network  is  down.  APC  understands  that  managing  your  assets  is 
critical  to  the  success  of  your  facility.  We  also  realize  that  management  software  is  only  as  good 
as  the  number  of  devices  it  monitors.  Checking  multiple  screens  and  synthesizing  data  at  the 
speed  of  business  is  difficult  but  necessary.  This  is  why  we're  introducing  the  only  truly  vendor 
neutral  management  software  suite  in  the  business  that  brings  all  your  data  into  one  place: 
InfraStruXure  Central  and  InfraStruXure  Change  and  Capacity  Manager  v  5.0. 

See  IT  and  beyond. 

Available  in  three  sizes  for  various  environments,  InfraStruXure  Central  v  5.0  gives  you  an 
unprecedented  level  of  visibility  to  the  physical  infrastructure  layer  of  your  data  center. 

When  you  monitor  the  entire  facility  with  this  scope  and  level  of  detail  you  can  achieve 
efficiency  and  management  goals  with  ease.  Power  down  idle  assets,  avoid  hot  spots  and 
equipment  failure,  rescue  stranded  capacity,  and  know  about  security  issues  -  before  they 
become  a  problem. 

Seeing  is  believing. 

Choose  the  centralized,  single  view  of  your  facility's  power,  cooling,  security,  and  environmental 
conditions  with  IntraStruXure  Central  v  5.0.  When  combined  with  InfraStruXure  architecture, 
you  can  achieve  truly  predictable  simulation  of  your  entire  data  center. 
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NEWS  ANALYSIS 


OA  airing  data  center  automation 

CA  develops  technology  that  enables  IT  to  delegate  duties 


‘Big  four’  mgmt  vendors 
could  become  ‘Big  three' 


BY  DENISE  DUBIE 

CA  this  week  plans  to  unveil  its  data  center 
automation  product  that  industry  watchers  say 
will  help  IT  staff  offload  server  resource-provi¬ 
sioning  duties  and  give  CA  an  advantage  over 
competitors  BMC  and  HP 

CA  Data  Center  Automation  (DCA)  Manager 
rll.2.  will  let  customers  automate  systems 
monitoring  and  resource  provisioning.The  soft¬ 
ware  competes  with  technology  HP  acquired 
with  Opsware  and  BMC  bought  with 
BladeLogic.  CA  developed  its  product  in- 
house,  which  industry  watchers  say  could  give 
the  company  an  edge  if  competitors  are  still 
working  to  integrate  acquired  software. 

“CAs  seemingly  slow  progress  on  the  DCA 
technology  is  a  sign  of  an  internal  design 
approach  which  might  just  be  the  right  one,” 
says  Evelyn  Hubbert,  senior  analyst  with 
Forrester  Research.  ‘Acquisitions  are  always 
challenged  by  architectures,  which  need  to  be 
matched  or  modified  mostly  to  the  disadvan¬ 
tage  of  the  client.  CA  knows  its  architecture 
and  can  design  integrations  and  extensions 
from  the  ground  up.” 

For  instance,  DCA  Manager  will  integrate  soft¬ 
ware  for  network  and  systems  management  as 
well  as  ties  to  Wily  Introscope  8  and  Customer 
Experience  Manager  4.2  products  for  applica¬ 
tion  performance  management,  which  also  are 
scheduled  to  be  announced  this  week. 

DCA  Manager  runs  on  a  server  and  works 
with  existing  agents  in  a  customer  environ¬ 
ment  to  gather  information  and  trigger  events. 
The  software  collects  system  software  and 
hardware  configuration  information,  discovers 
applications  and  their  dependencies,  and 
detects  change  across  the  environment. 
Integration  with  existing  products  also  give  the 
software  access  to  network  availability  applica¬ 
tion  performance  and  business  service  man¬ 
agement  data,  which  CA  says  can  help  auto¬ 
mate  resource  allocation  based  on  demand. 

“The  software  includes  algorithms  and  poli¬ 
cy-based  management  features  that,  for 
instance,  can  compare  how  application  perfor¬ 
mance  correlates  to  resource  consumption. 
Based  on  that  information,  DCA  Manager  can 
determine  if  resources  need  to  be  provi¬ 
sioned”  says  Stephen  Elliot,  vice  president  of 
strategy  for  CAs  Infrastructure  Management 
and  Data  Center  Automation  business  unit 
(and  a  former  IDC  analyst). 

DCA  Manager  monitors  utilization  and  per¬ 
formance  across  mixed-platform  data  center 
environments.  The  data  can  then  be  fed  into 
customizable  dashboards  that  give  data  center 
managers  a  view  of  their  physical  and  hetero¬ 
geneous  virtual  environments,  a  capability 
many  vendors  are  looking  to  offer,  analysts  say 

“It’s  unclear  at  this  point  if  the  market  for  data 


he  days  of  referring  to  the  leading 
I  management  software  vendors  as 
I  the  “big  four"  are  numbered,  industry 
watchers  predict,  as  challengers  to  BMC, 
CA,  HP  and  IBM  now  include  a  variety  of 
competitors  from  starts-up  to  software 
giants  such  as  Microsoft  and  Oracle. 

Forrester  Research  recently  released  a 
paper  that  advised  IT  executives  on  opti¬ 
mizing  their  IT  management  software 
portfolio.  While  a  majority  of  companies 
have  multiple  management  products  in 
house,  at  least  one  of  four  names  is  likely 
to  dominate  customer  portfolios:  BMC, 
CA,  HP  and  IBM.  Forrester  advises  IT 
executives  to  employ  a  management 
strategy  that  would  designate  one  vendor 
as  an  “anchor"  and  then  fill  technology 
gaps  with  others.  HP  and  IBM  would  be 
likely  anchors,  but  the  report  reveals 
BMC  and  CA  might  not  be  able  to  fill  that 
role  going  forward. 

“HP  and  IBM  are  so  massive  that  they 
will  likely  survive  an  assault  on  their  busi¬ 
ness,  but  BMC  and  CA  are  the  smallest 


center  automation  products  is  tied  to  hard¬ 
ware,  which  could  be  HP’s  selling  point,  virtu¬ 
alization  platforms  like  VMware  and  Microsoft 
or  third-party  software  that  can  handle  hetero¬ 
geneous  hardware,  operating  systems  and  vir¬ 
tual  technologies,”  says  Mary  Johnston  Turner, 
senior  analyst  with  Enterprise  Strategies  Group. 

CA  says  the  DCA  Manager  software  also  can 
be  used  to  provision  resources  on  a  scheduled 
basis,  letting  customers  delegate  duties.  For 
instance,  a  self-service  feature  lets  non-IT  staff 
schedule  desired  resources  for  specific  appli¬ 
cations  or  events  at  the  university  Once  sched¬ 
uled,  DCA  Manager  will  use  images  and  tem¬ 
plates  built  by  Husain’s  staff  to  automatically 
provision  the  server  capacity  for  the  assigned 
function. When  the  need  is  no  longer  there,  the 
resources  can  be  reclaimed  by  IT. 

“When  it  comes  to  management,  IT  decision 
makers  list  the  impact  on  IT  staff  and  cost  as 
the  top  factors  they  consider.  CAs  self-service 
reservation  management  systems  gets  IT  in 
part  out  of  the  workflow  and  lets  end  users 
schedule  resources  for  themselves,”  Turner 
says.  “Technology  that  saves  on  staff  time  and 
keeps  the  business  going  is  compelling,  and 


mega-vendors  and  are  therefore  a  bit 
more  vulnerable  to  business  fluctuations 
and  acquisitions,”  says  Glenn  O’Donnell, 
a  senior  analyst  with  the  firm. 

BMC  and  CA  don't  have  iBe  hardware 
or  services  business  that  HP  —  more  so 
now  that  its  EDS  acquisition  is  final  — 
and  IBM  do.  “Oracle,  the  formidable  wild 
card,  is  a  minor  management  vendor  Ipw, 
but  it  will  acquire  leadership  in  its  typical 
bold  manner.  Either  BMC  or  CA  is  the 
likely  prey,”  O'Donnell  says.  “Oracle  must 
become  a  significant  leader  in  manage¬ 
ment,  as  this  business  represents  a  key 
element  of  its  overall  busgjess  automa¬ 
tion  strategy.” 

CA,  in  particular,  would  be  an  attractive 
acquisition  for  the  two  software  makers. 
Recent  technology  developments  and 
dedication  to  building  its  customer  base 
has  the  vendor  making  points  with  the 
analyst  community  and  earning 
respectable  customer  satisfaction 
reviews. 


right  now  investing  in  automation  tools  is  real¬ 
ly  going  to  pay  back  for  IT’ 

Naveed  Husain,  CIO  at  Queens  College, a  City 
University  of  New  York  public  educational  insti¬ 
tution,  is  conducting  a  proof  of  concept  on  CA 
DCA  Manager.  He  says  the  software,  which  is 
not  fully  implemented,  could  help  him  man¬ 
age  more  than  100  Dell  servers  running 
Windows  and  Linux  operating  systems  and 
supporting  more  than  20,000  students, staff,  fac¬ 
ulty  and  other  employees  —  without  adding 
head  count.  And  with  virtualization  on  the 
horizon,  Husain  realized  he  couldn’t  postpone 
an  investment  in  infrastructure  monitoring  and 
automation  technology  any  longer. 

“It’s  embarrassing  to  have  built  a  high-avail- 
ability  environment  with  redundancy  and 
failover  and  get  calls  because  disk  utilization 
on  a  server  is  over  75%  and  you  didn’t  know 
because  you  can’t  have  human  eyes  on  all  the 
servers  all  the  time,”  Husain  says.  “At  the  low 
end  we  would  pay  $36,000  for  a  help  desk 
position  and  then  anywhere  between  $60,000 
and  $90,000  for  senior  IT  staff.  Because  I  can’t 
invest  in  staff,  I  am  going  to  invest  in  this 
automation  tool.”H 


—  DENISE  DUBIE 
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Gas  shortage  spurs  teleworking 

Companies  in  Southeast  U.S.  expand  teleworking  to  offset  fuel  crunch 


BY  ANN  BEDNARZ 

Gas  shortages  in  the  Southeast  United  States 
are  prompting  companies  to  consider  ex¬ 
panding  their  telework  programs  so  employ¬ 
ees  can  conserve  fuel.  Other  options  workers 
are  weighing  include  greater  use  of  carpools 
and  public  transit,  along  with  alternative 
scheduling  arrangements  such  as  four-day 
work  weeks. 

In  the  Atlanta  area,  the  current  gas  shortage 
is  the  latest  energy-related  issue  that’s  getting 
companies  to  redouble  their  efforts  to  formal¬ 
ize  or  expand  telework  programs,  says  Mike 
Williams,  director  of  programs  and  employer 
services  for  The  Clean  Air  Campaign,  a  non¬ 
profit  organization  that  works  with  Georgia 
employers,  commuters  and  schools  to  reduce 
traffic  congestion  and  improve  air  quality 

“For  companies  that  are  working  to  formal¬ 
ize  a  telework  program,  it’s  an  added  reason 
for  them  to  act  more  quickly  Williams  says. 
“For  companies  that  have  an  informal  tele¬ 
work  arrangement  going  on,  it’s  another  way 
for  us  to  bring  up  reasons  why  they  need  to 
formalize  those  programs.” 

But,  he  adds,  due  diligence  is  important. 
“We’re  not  trying  to  get  people  to  react  imme¬ 
diately  to  the  gas  shortage  and  just  start  tele¬ 
working,”  he  says. 

Georgia,  Tennessee  and  North  Carolina  are 
among  the  states  hardest  hit  by  gas  shortages 
brought  on  by  hurricane  damage  to  the  oil¬ 
refining  regions  of  the  Gulf  Coast. 

Hurricanes  Gustav  and  Ike,  which  made  U.S. 
landfall  on  Sept.  1  and  Sept.  13,  respectively, 
decimated  fuel  production  from  the  Gulf  of 
Mexico.  As  of  Sept.  29,  more  than  57%  of  crude 
oil  production  capacity  in  the  Gulf  of  Mexico 
was  out  of  commission  (down  from  89%  on 
Sept.  22),  and  two  refineries  remained  shut 
down,  according  to  the  U.S.  Department  of 
Energy  (DOE). 

For  residents  in  the  Southeast  United  States, 
the  result  is  long  gas  lines  and  scores  of  ser¬ 
vice  stations  with  no  gas. 

Last  week  a  Georgia  official  issued  a  call  for 
greater  teleworking  in  response  to  the  short¬ 
age.  John  Oxendine,  commissioner  of  insur¬ 
ance  and  safety  fire  for  the  state,  announced 
that  any  employees  in  his  department 
whose  job  responsibilities  don’t  require 
them  to  be  physically  present  at  the  state 
office  building  could  telework  until  the 
gasoline  shortage  ends. 

He  also  called  on  other  state  agencies  to  do 
the  same.'As  leaders  of  this  state,  we  are  oblig¬ 
ated  to  find  ways  to  relieve  the  burden  of  this 
gasoline  shortage  off  the  backs  of  taxpayers,” 
Oxendine  said  in  a  statement.  “By  allowing 
additional  state  employees  to  work  from  their 
homes,  this  action  should  help  reduce  some 


Fueling  change 

Escalating  gas  prices  have  prompted 
employees  to  change  their  commuting 
habits  in  the  following  ways: 

Working  fewer  days  of  the  week 
Working  from  office  closer  to  home 

HHHHI 29% 

Looking  for  a  new  job  closerto  home 

30% 

Telecommuting  more  frequently 

■^■■■33% 

Driving  a  more  fuel-efficient  car 

IBHHHH 33% 

Increasing  carpooling  or  ride-sharing 

46% 


SOURCE:  ROBERT  HALF  INTERNATONAL 
POLL  OF  500  U.S.  WORKERS 


of  the  strain  on  our  gasoline  supply  and  bene¬ 
fit  those  in  the  public  and  private  sectors  who 
are  unable  to  telework.” 

Outside  the  region  most  impacted  by  gas 
shortages,  companies  are  are  making  work¬ 
place  changes  to  combat  commuting  burdens. 

The  IT  department  at  Johns  Hopkins  Uni¬ 
versity’s  Bloomberg  School  of  Public  Health 
just  expanded  its  telework  program  to  let  staff 
work  from  home  two  days  per  week  instead  of 
the  one  day  previously  allowed.  Gas  prices 
certainly  played  a  role  in  the  decision,  says 
Ross  McKenzie,  director  of  IT  at  the  Baltimore 
school. 

Another  factor  was  the  need  for  staff  —  par¬ 
ticularly  programming  and  operations  —  to 
have  more  “uninterrupted  time”  to  focus  on 
completing  and  documenting  projects, 
McKenzie  says.  Being  able  to  work  from  home 
more  often  has  been  beneficial,  he  says:  “The 
impact  on  IT  has  been  increased  morale  and 
a  more  productive  workforce.” 

No  overnight  relief 

Meanwhile,  experts  don’t  expect  the  short¬ 
age  to  disappear  overnight. 

Since  refineries  first  shut  down  in  anticipa¬ 
tion  of  Hurricane  Gustav,  nearly  45  million  bar¬ 
rels  of  gasoline,  distillate  fuel  and  other  prod¬ 
ucts  have  not  been  produced,  according  to 
the  DOE’s  Energy  Information  Administration. 


In  addition,  two  major  pipelines  that  span  from 
the  Gulf  Coast  to  the  East  Coast  —  the 
Colonial  and  Plantation  product  pipelines  — 
continue  to  operate  at  reduced  rates. 

“It  takes  several  days  for  a  refinery  to  get 
back  to  normal  operation  after  first  getting 
power  restored,  even  if  there  is  no  signifi¬ 
cant  damage  following  a  hurricane.  Refined 
product  supplies  are  still  constrained  in 
portions  of  the  country  because  of  refining 
capacity  that  is  still  significantly  reduced 
from  pre-hurricane  levels,”  the  Energy 
Information  Administration  reported  on 
Sept.  26. 

Hurricane  impacts  on  U.S. oil  and  natural  gas 
availability  will  continue  to  be  felt  for  several 
days,  the  organization  reports: 

‘As  refineries  return  to  full  production,  sup¬ 
plies  will  increase  into  pipelines,  thus  provid¬ 
ing  more  supplies  to  those  that  have  seen  con¬ 
straints  in  the  supply  system.  But  it  could  take 
several  days  or  even  a  couple  of  weeks  before 
the  distribution  system,  from  refineries  to  retail 
stations,  is  once  again  at  pre-hurricane  opera¬ 
tion  levels.” 

In  metropolitan  areas  such  as  Atlanta,  a  sum¬ 
mer  of  high  gas  prices  followed  by  the  current 
gas  shortage  has  spurred  more  local  business¬ 
es  to  embrace  telework. 

The  Clean  Air  Campaign  has  seen  a  surge 
in  the  number  of  companies  looking  to 
implement  telework  programs  for  the  first 
time. 

Last  year,  between  January  and  July,  the 
organization  helped  about  40  companies  to 
start  or  expand  telework  programs  and  was 
working  with  an  additional  30  companies 
trying  to  get  the  management  support  they 
needed  to  launch  telework  programs, 
Williams  says. 

This  year  so  far, The  Clean  Air  Campaign  has 
helped  about  100  companies  to  start  or  ex¬ 
pand  telework  programs  and  is  working  with 
an  additional  100  companies  trying  to  make 
that  commitment. 

What’s  particularly  encouraging  is  that 
many  big-name  Atlanta  companies  are  im¬ 
plementing  telework  programs  for  the  first 
time,  including  Bank  of  America  and  Home 
Depot,  Williams  says.  “We’re  really  excited 
about  that,”  he  says. 

Gas  prices  have  a  lot  to  do  with  the  explo¬ 
sion  of  corporate  interest.  “People  are  strug¬ 
gling  financially,  and  employers  are  trying  to 
figure  out  a  way  to  help,”  Williams  says.  Estab¬ 
lishing  a  telework  program  “is  something  that 
they  can  do  that  not  only  helps  the  employee 
but  also  benefits  their  bottom  line." 

Senior  Editor  Denise  Dubie  contributed  to  this 
story. 
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This  message  may  say  it  all,  but  bringing  it  through  security 
could  result  in  a  lengthy  conversation  with  the  TSA. 


Net  Buzz 

continued  from  page  42 

all  got  a  little  more  accustomed  to 
creatively  talking  back  instead  of 
following  instructions,  the  U.S. 
would  be  in  much  better  place. 

“People  have  been  sending  me 
lots  of  good  ideas  (for  plates),  for 
example  the  4th  Amendment, 

“(TSA  Administrator)  Kip  Hawley  is 
an  idiot,”  and,  “Put  me  in  the  slow 
lane  where  you  hand  search  every¬ 
thing  I’m  carrying.” 

What  has  happened  on  your  trial 
runs? 

“At  the  Amsterdam  airport  I  went 
through  security  with  the  box  cutter 
plate  (which  I’m  calling  “the  exact 
opposite  of  a  box  cutter”). They 
asked  me  what  was  in  my  bag  and 
when  I  reached  to  open  it  up  they 
got  a  little  jumpy  and  told  me  not 
to  touch  it.They  swiveled  the  moni¬ 
tor  around  to  show  me  the  item  in 
question  and  I  was  happy  to  see 
that  the  resulting  image  showed  up  almost 
exactly  like  the  concept  images  I  had  made 
up.  After  I  told  them  it  was  an  art  project  they 
relaxed  and  allowed  me  to  take  it  out  of  the 
bag,  at  which  point  they  let  me  go  (you  have 
to  love  The  Netherlands). 

“Then  today  I  took  the  American  flag  plate 
from  Hong  Kong  to  Bangkok,  and  they  didn’t 
notice.” 

As  Roth’s  project  has  started  to  get  a  bit  of 


attention  on  the  Internet,  it’s  been  suggested 
by  many  that  he  is  simply  begging  for  trouble. 
We  already  know  what  happens  if  you  try  to 
go  through  TSA  screening  — -  say  at  Boston’s 
Logan  Airport  —  wearing  a  pin  that  looks  like 
a  bomb. 

Coincidentally,  I  happen  to  have  a  reliable 
source  —  OK,  he’s  my  brother  —  who  works 
for  a  company  that  provides  screening  equip¬ 
ment  to  airports,  military  installations  and  the 


most  security-sensitive  of  gov¬ 
ernment  facilities.  (He  has  gov¬ 
ernment  security  clearance 
and  I  could  tell  you  the 
famous  place  where  he  was 
last  week,  but  then  he’d  have 
to  kill  us  both.) 

I  sent  him  the  link  about 
Roth’s  X-ray  art  and  asked 
whether  he  thought  this  would 
a)  work  as  the  artist  intends, 
and  b)  go  over  very  well  at 
your  typical  airport  security 
station.  His  reply: 

“It  is  beyond  me  why  anyone 
would  do  anything  that  would 
increase  their  likelihood  of 
being  selected  for  more  inten¬ 
sive  screening.  It’s  a  funny  con¬ 
cept,  but  a  very  bad  idea  in 
practice. 

“Yes,  it’s  very  doable  —  we 
do  similar  things  for  testing,  like 
cut  a  hand-grenade  silhouette 
out  of  a  thin  sheet  of  lead.  If 
anything  obscures  the  imagery 
of  the  bag,  the  screener  will  certainly  be  more 
likely  to  perform  additional  screening.” 

And  you  don’t  have  to  have  government 
security  clearance  to  know  what  “additional 
screening”  can  mean.  Roth  says  he  doesn’t 
like  flying  now?  I’m  thinking  he’s  going  to  be 
liking  it  a  lot  less  before  long. 

Skip  the  metal  plates  and  e-mail  your  com¬ 
ments  to  buzz@nww.com. 


When  it’s  a 

stock  crashing,  boss  bellowing, 

belt  tightening,  cash  constrained, 

option  crushing,  market  shrinking, 

OMIGOD!  WHERE  DID  MY  401K  GO? 

kind  of  week.. 
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NAG  gets  a  seat  at  the  table 

Furniture  maker  uses  ForeScout  CounterACT  to  back  up  other  security  tools 


NAC  gear  used  to  check  regional  branches 

Office  furniture  maker  Haworth  uses  regionally  placed  ForeScout 
CounterACT  gear  to  check  the  configuration  status  of  new  devices  as  they 
log  on  to  the  corporate  network. 


Branch  office 


— - 


Regional  HQ 

B 


Client  device  Cisco  switch 


CounterACT 

appliance 


D  A  device  attempts  to  log  on  at  a  branch  office. 

El  A  ForeScout  plug-in  in  a  Cisco  switch  sends  notification  of  the  logon  attempt 
overthe  MPLS  WAN. 

B  The  CounterACT  appliance  at  regional  headquarters  interrogates  the  machine 
for  compliance  with  policies. 


BY  TIM  GREENE 

When  Chad  Clement  joined  worldwide 
office  furniture  maker  Haworth  18  months  ago, 
he  discovered  the  company  needed  to  get  a 
handle  on  network  security. 

Part  of  the  problem  was  that  Haworth  didn’t 
have  an  accurate  inventory  of  the  12,000 
devices  on  the  network,  which  spans  80  sites 
worldwide,  and  that  even  with  configuration 
management  tools  in  place, some  devices  did¬ 
n’t  meet  corporate  configuration  standards. 

As  the  company’s  new  information  security 
manager,  Clement  also  wanted  to  deploy  an 
intrusion-detection  system  (IDS)  so  he  would 
know  when  the  company’s  valuable  data-cen- 
ter  assets  were  being  compromised. 

A  data-security  assessment  commissioned 
before  he  got  there  found  cracks  in  the  com¬ 
pany’s  defenses,  including  endpoint  integrity 
“We  wanted  to  make  sure  that  all  the  hosts  in 
our  environment  belonged  in  our  environ¬ 
ment,  as  well  as  had  a  standardized  configura¬ 
tion  on  them  —  that  the  antivirus  was  our  stan¬ 
dard  antivirus  and  that  it  was  up  to  date,” 
Clement  says. 

The  company  had  Shavlik  NetChk  manage¬ 
ment  and  configuration  software  for  servers 
and  Symantec’s  Altiris  client  management  for 
desktops,  but  they  didn’t  catch  everything. 
“Machines  got  missed,”  he  says.“A  lot  of  times  it 
was  that  the  agent  wasn’t  running  on  them  to 
inform  users  that  they  needed  to  get  their 
updates.” 

Also  in  use  on  the  network  were  Qualys  vul¬ 
nerability  management  and  BMC  Remedy  ser¬ 
vice  management  software,  and  Clement 
thought  he  could  make  better  use  of  them. 

The  security-assessment  consultant  had  used 
ForeScout’s  CounterACT  network  access  con¬ 
trol  (NAC)  gear  to  help  discover  devices  on  the 
Haworth  network  for  its  report.  Clement  says 
that  capability  plus  its  IDS  features  and  the  abil¬ 
ity  to  assess  compliance  with  corporate  end¬ 
point  configuration  standards  interested  him 
in  the  ForeScout  appliance. 

He  also  considered  StillSecure,  but  after  try¬ 
ing  out  an  online  simulation  he  decided  he 
liked  the  ForeScout  interface  better  and  the  vis¬ 
ibility  that  it  gave  him. 

The  fact  that  the  CounterACT  platform  inte¬ 
grates  with  the  BMC  Remedy  service-manage¬ 
ment  software  influenced  him,  too.  The  firm 
uses  BMC  Remedy  as  a  way  to  track  trouble 
tickets,  and  CounterACT  can  work  with  it  to 
automatically  open  tickets  when  endpoints  are 
found  out  of  compliance  with  corporate  con¬ 
figuration  standards. 

“But  the  goal  with  the  Remedy  plug-in  is, 
when  they’re  out  of  compliance,  automatically 
create  a  Remedy  ticket  to  have  the  issue 
resolved,”  he  says.That  integration  is  on  hold  at 


the  moment,  though,  because  the  company  is 
upgrading  its  Remedy  deployment. 

CounterACT  also  integrates  with  the 
Qualys  vulnerability  management  software 
to  share  what  it  discovers  about  endpoint 
configurations. 

One  factor  that  strongly  influenced  his 
choice  was  that  CounterACT  requires  no  per¬ 
manent  software  on  endpoints.That  was  one 
of  my  key  criteria.  I  didn’t  want  to  throw 
another  agent  on  all  of  our  machines  because 
we  already  had  the  antivirus  agent  running  on 
them  and  the  patch-management  agent  run¬ 
ning  on  them,”  he  says. 

The  company  deployed  one  CounterACT 
box  in  its  Holland,  Mich.,  data  center  where  it 
checked  that  devices  attempting  to  gain 
access  behaved  properly  by  using  the 
device’s  IDS  capabilities.  Since  then  it  has 
deployed  seven  more. 

So  far  the  company  does  not  use  them  to 
ensure  that  endpoints  comply  with  configu¬ 
ration  policies.  Rather  it  monitors  and  noti¬ 
fies,  because  he  doesn’t  want  the  enforce¬ 
ment  to  get  in  the  way  of  people  doing  work. 
“I  want  it  to  have  as  minimal  an  impact  on 
our  users  as  possible, so  we  put  it  in  discovery 
mode,”  he  says. 

Turning  on  enforcement 

Clement  is  just  now  considering  turning  on 
enforcement  mode.“We’re  taking  our  time  with 
it,  making  sure  our  asset  classification  policies 
are  working  accurately  so  I  can  minimize  the 
amount  of  false  positives,”  he  says. 


He  wants  to  be  sure  appropriate  policies  are 
being  applied.  For  instance,  manufacturing 
controllers  on  the  network  have  no  antivirus 
software, so  he  didn’t  want  to  risk  blocking  one 
from  the  network  for  failure  to  comply  with  the 
antivirus  policy“I  wouldn’t  want  to  take  a  con¬ 
troller  down  and  stop  production,”  he  says. 

Clement  hasn’t  yet  discussed  with  the  IT 
team  whether  to  turn  on  self-remediation 
where  noncompliant  endpoints  would  be 
forced  to  a  portal  where  users  would  be 
instructed  how  to  bring  their  machines  into 
compliance. 

Ultimately  he  wants  to  check  all  endpoints 
on  the  LAN  and  all  devices  connecting  via 
VPN  as  well  as  the  corporate  or  guest  wireless 
networks. 

Guests  are  allowed  on  Cisco  wireless  access 
points  that  broadcast  separate  SSIDs.They  have 
access  to  one  of  those  SSIDs  that  tunnels  all  the 
traffic  to  the  corporate  DMZ,  and  they  can 
access  only  the  Internet. 

Traffic  through  the  Cisco  VPN  concentrators 
on  the  network  is  being  monitored  via  a 
CounterACT  VPN  plug-in  that  allows  authenti¬ 
cation  to  be  proxied  to  the  NAC  device,  which 
then  interrogates  the  endpoint. 

Despite  being  a  Cisco  shop,  Haworth  decid¬ 
ed  against  Cisco  NAC. “I  am  the  security  team 
here,  so  I  was  looking  for  something  that  was 
easy  to  manage,  and  ForeScout  gave  me  that,” 
Clement  says.“My  personal  preference  is  to  go 
with  vendors  that  are  security-centric  because 
I  feel  I  can  give  a  lot  more  input  and  see 
results.”  ■ 


18  •  OCTOBER  6,  2008  •  www.networkworld.com 


How  IPv6  is  like  the  U.S.  financial  crisis 


Not  long  ago,  the  powers-that-be  detect¬ 
ed  an  impending  crisis. To  resolve  it, 
they  rushed  into  action  crafting  a  pro¬ 
posal  that  represented  an  unprecedented 
upheaval  of  existing  infrastructure.  On  the 
grounds  that  “something  needed  to  be 
done”  to  avert  the  crisis,  they  brushed  aside 
objections  that  the  upheaval  was  too  con¬ 
vulsive  and  might  fail  to  address  the  under¬ 
lying  issues  that  had  created  the  crisis  in  the 
first  place. 

The  financial  bailout  proposed  by  the 
Treasury  Department?  No  —  I’m  talking  about 
the  creation  of  IPv6. 

Back  in  the  early  1990s,  the  Internet  Engineering  Task  Force  (IETF) 
decided  that  IPv4  addresses  were  being  consumed  at  an  alarming 
rate:  Predictions  at  the  time  were  for  address  depletion  by  2000.To 
avert  the  address-depletion  crisis,  IETF  members  kicked  into  high  gear 
a  working  group  called  IPng  (for  next-generation),  which  ultimately 
became  IPv6. 

Unfortunately,  as  many  people  at  the  time  pointed  out,  in  their 
haste  to  fix  the  address-depletion  problem,  the  IPv6  planners 
missed  a  couple  of  key  points.  First  was  that  the  problem  wasn’t  as 
grave  as  initially  thought.  Developments  such  as  classless  interdo¬ 
main  routing  and  network  address  translation  vastly  extended 
IPv4’s  half-life.  Secondly  —  and  more  seri¬ 
ously  —  IPv6  failed  to  solve  several  of  the 
problems  that  continue  to  bedevil  Internet 
architecture  today.  One  is  the  difficulty  of 
multihoming,  particularly  in  a  mobile-end- 
point  environment.  Another  is  address  frag¬ 
mentation. 

Finally,  IPv6  also  introduces  new  problems. 


I’ve  written  previously  about  how  it  increases  bandwidth  require¬ 
ments.  Additionally,  it  may  create  route-resolution  problems:  Some 
noted  engineers  fear  that  the  added  computational  requirements  for 
route  convergence  with  IPv6  will  mean  permanent  routing  instabili¬ 
ty  in  large-scale  networks.  (You  would  think  academic  researchers 
might  have  tested  this  hypothesis  by  modeling  IPv6  routing  at  very 
large  scales  —  so  far  as  I  know,  they  haven’t.) 

And  of  course,  the  transition  to  IPv6  is  reportedly  pretty  hairy. 
Gateways  don’t  work  as  advertised,  applications  have  embedded 
IPv4  addresses,  and  overall  a  lot  of  effort  is  required  simply  to 
recreate  the  status  quo. 

But  here’s  the  kicker:  IPv6  may  be  totally  unnecessary.  As  I’ve 
mentioned  in  a  previous  column,  noted  Internet  researcher  John 
Day  has  developed  an  architecture  that  completely  obviates  the 
need  for  IPv6  —  and  solves  the  routing  and  multihoming  chal¬ 
lenges  that  IPv6  doesn’t  —  without  requiring  a  painful  transition. 
Oh,  and  it  adds  a  graceful  and  elegant  way  for  carriers  to  manage 
congestion  without  needing  either  deep-packet  inspection  or 
application-censoring.  Essentially,  if  implemented  correctly,  Day’s 
approach  makes  net  neutrality  a  default  capability  of  the  architec¬ 
ture  —  while  providing  carriers  with  a  mechanism  by  which  to 
protect  their  networks  and  charge  for  value-added  services. 

Why  aren’t  we  deploying  Day’s  approach?  Lots  of  reasons,  includ¬ 
ing  the  quite  good  one  that  it  hasn’t  been  delivered  in  imple- 
mentable  form  yet. 

But  the  bottom  line:  Sometimes  in  the 
rush  to  promote  a  kludge  to  resolve  a  crisis, 
real  solutions  may  get  short  shrift. 

Johnson  is  president  and  senior  founding 
partner  at  Nemertes  Research,  an  independent 
technology  research  firm.  She  can  be  reached 
at  johna@nemertes.com. 
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soft  propping  Web  2.0  tools 


BY  JOHN  FONTANA 

Microsoft  last  week  began  to  unveil  the  evo¬ 
lution  of  its  infrastructure  and  development 
tools  that  will  be  part  of  a  Windows-based 
foundation  for  supporting  Web  2.0  and  com¬ 
posite  applications. 

At  its  annual  Professional  Developers 
Conference,  which  begins  Oct.  27,  Microsoft 
will  give  attendees  “community  technology 
previews”  (CTPs)  of  Windows  Workflow 
Foundation  (WWF  4.0),  Windows  Commun¬ 
ication  Foundation  (WCF  4.0)  and  a  set  of 
technologies  code-named  Dublin  that  is  the 
beginning  of  a  Windows  application  server  for 
hosting  composite  applications. The  company 
is  not  announcing  final  delivery  dates  for  the 
software,  but  Microsoft  clearly  is  beginning  to 
align  its  software  and  development  tools  as  it 
defines  its  future  as  a  services  company 

The  CTP  software  available  later  this  month  is 
part  of  the  forthcoming  .Net  Framework  4.0 
that  is  designed  to  ease  the  development  and 
integration  of  distributed  applications  running 
as  services.  Dublin  addresses  the  platform  to 
support  those  services.“Dublin  reaches  toward 
the  goal  of  conquering  the  complexity  of 
building  distributed  apps,”  says  Forrester  Re¬ 
search  analyst  John  Rymer. 

Dublin  has  many  important  features  includ¬ 
ing  an  extension  of  the  programming  model, 
improved  support  for  Representational  State 
Transfer  (REST)  and  Atom,  expanded  use  of 
the  Extensible  Application  Markup  Language 
(XAML)  across  applications,  and  support  for 
new  visual  development  tools  for  WWE 
Rymer  says. 

Dublin,  however, “may  be  too  much  too  soon” 
for  many  users  still  getting  familiar  with  the 
.Net  Framework  3.5,  Rymer  cautions.  And 
Microsoft  still  must  prove  the  viability  of  its  goal 
to  simplify  the  creation,  deployment  and  main¬ 
tenance  of  service-oriented  architecture 
(SOA)  applications  by  using  executable  mod¬ 
els,  he  says.“lf  Microsoft  gets  it  right,  the  results 
will  be  very  useful  for  developers.  But  this  has 
never  been  done  before,”  he  adds. 

Last  weeks  announcement  came  two  days 
after  Microsoft  provided  a  quick  peek  at  Visual 
Studio  2010  and  the  .Net  Framework  4.0,  and 
said  the  two  would  be  categorized  under  five 
focus  areas.  One  of  those  areas  is  titled  “riding 
the  next-generation  platform  wave,”  and  the 
Dublin  announcement  targets  that  theme. 

“We  are  trying  to  address  the  move  toward 
Web  services  and  composite  applications, ’’says 
Burley  Kawasaki,  director  of  product  manage¬ 
ment  in  the  connected-systems  division  at 
Microsoft. The  applications  could  be  tradition¬ 
al  SOA-type  or  Web  2.0  applications,  he  says. 

One  important  step  for  developers  is 
improved  support  for  REST  interfaces  in  WCF 
4.0  and  a  REST  Starter  Kit. 

REST  is  a  way  to  build  simple  interfaces  for 


services  and  is  a  lightweight  alternative  to  the 
Simple  Object  Access  Protocol  (SOAP)  used  in 
many  Web  services.  There  is  a  running  debate 
among  developers  comparing  Microsoft’s  WS-* 
stack  of  Web  services  protocols,  which  are 
mostly  based  on  SOAR  and  REST,  which  many 
say  is  simpler  and  more  elegant. 

The  Starter  Kit  will  ship  with  WCF  in  the  .Net 
Framework  4.0  and  provide  Visual  Studio  pro¬ 
ject  and  item  templates  including:  REST 
Singleton  Service,  REST  Collection  Service, 
Atom  Feed  Service,  Atom  Publishing  Protocol 
Service  and  HTTP  Plain  XML  Service. 

“Microsoft  has  finally  gotten  on  the  REST 
bandwagon,”  says  Stephen  Forte,  chief  strategy 
officer  for  Telerik,  which  develops  user  inter¬ 
face  components  for  ASPNet,  Windows  Forms 
and  .Net  Reporting  software.  “I  would  suspect 
you  will  see  more  REST  support  everywhere  in 
the  framework.” 

The  Starter  Kit  also  includes  support  and 
guidance  for  caching,  security  and  error  han¬ 
dling  in  REST  servers,  as  well  as  early  ideas  for 
a  REST  client,  according  to  Microsoft. 

The  Starter  Kit  will  be  available  on  CodePlex 
when  it’s  released  in  late  October. 


BY  JOHN  FONTANA 

Microsoft  at  the  end  of  the  month  will  unveil 
its  “Cloud  OS,”  the  stealthy  Ray  Ozzie  project 
that  provides  a  virtual  Windows  operating-sys¬ 
tem  platform  for  the  rapid  development, 
deployment  and  maintenance  of  Internet  ser¬ 
vices  and  applications. 

Microsoft  will  unveil  details  later  this  month 
at  its  Professional  Developers  Conference 
(PDC)  and  show  developers  the  APIs  and 
plumbing  services  provided  by  a  utility  com¬ 
puting-platform  code-named  Red  Dog.  In 
essence,  Red  Dog  is  an  application-develop¬ 
ment  and  execution  platform  that  lives  on  the 
Internet.  It’s  similar  to  Amazon. corn’s  Elastic 
Compute  Cloud  and  Google’s  App  Engine 
cloud-based  application  platforms.  With  Red 
Dog,  developers  write  their  applications  to  take 
advantage  of  cloud  operating-system  services 
much  as  they  do  to  exploit  services  on  desktop 
and  server  operating  systems. 

Microsoft  also  plans  to  detail  the  next  version 
of  its  .Net  framework  and  improvements  to  its 
Web  application  server  that  will  make  it  a  plat¬ 
form  for  hosting  composite  and  Web  2.0  appli¬ 
cations. 

Microsoft  CEO  Steve  Ballmer  told  IT  man- 


Microsoft  also  plans  to  use  XAML  to  integrate 
WCF  and  WWp giving  developers  the  ability  to 
build  entire  applications  in  XAML.  With  entire 
applications  defined  in  XAML,  even  non-devel¬ 
opers  will  have  the  flexibility  to  make  changes. 

With  Dublin,  Microsoft  is  turning  its  Web 
application  server  into  a  platform  to  host  those 
applications.  Dublin  will  provide  code  as  pre¬ 
built  services  including  message-based  corre¬ 
lation,  message  forwarding  service,  content- 
based  message  routing  and  compensation  ser¬ 
vice  for  long-running  transactions. 

“You  as  a  developer  don’t  have  to  write  all 
the  infrastructure  code  you  might  have  to 
toda>(  Microsoft’s  Kawasaki  says.  Dublin  also 
will  work  with  BizTalk  Server  and  integrate 
with  Oslo,  Microsoft’s  forthcoming  modeling 
platform  that  will  be  highlighted  at  PDC.  Users 
building  Oslo  models  will  be  able  to  deploy 
those  on  Dublin. 

“The  term  ‘Oslo’  now  refers  only  to  the  next 
generation  of  tools  for  building  application 
models  that  Microsoft  is  working  on,  not  the 
whole  set  of  development  and  runtime  tech¬ 
nologies  Microsoft’s  connected  systems  divi¬ 
sion  is  building.  ■ 


agers  at  a  meeting  in  London  last  week  that  the 
official  name  and  details  of  something  he 
called  “Cloud  OS”  would  see  their  debut  at 
PDC. 

Ozzie  and  his  cloud  infrastructure  services 
team  at  Microsoft  have  been  working  quietly 
for  the  past  few  years  on  what  has  come  to  be 
known  as  the  Red  Dog  project. 

In  simple  terms,  the  platform  will  be  Win¬ 
dows  Server  for  the  cloud  and  will  provide 
such  functions  as  scaling  and  server  manage¬ 
ment,  Ballmer  says.  He  told  the  IT  managers  the 
first  version  will  work  with  Microsoft’s  data  cen¬ 
ter  but  future  versions  could  be  used  in  other 
data  centers. 

“If  you  are  a  developer  writing  an  application 
on  the  Microsoft  platform,  what  is  new  that  you 
will  be  able  to  do  or  to  use  that  you  can’t  do 
today  —  those  are  the  questions  that  should 
be  answered  at  PDC,”  says  Matt  Rosoff,  an  ana¬ 
lyst  with  Directions  on  Microsoft. 

In  July  Ozzie  said  the  services  platform,  as  he 
called  it  at  the  time,  would  provide  users  with 
“a  new  kind  of  system  designed  for  massive 
scale-outs,  running  on  large  redundant  arrays 
of  inexpensive  commodity  servers  in  the 
cloud.”B 


Microsoft  will  float  Cloud 
OS  this  month 
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THE  POWER  of  DNSreport 


JUST  ONE  CLICK. 


That’s  all  it  takes.  Just  one  click  and  DNSreport  gives  you  the  power  to  see 
problems  and  vulnerabilities  with  your  domain  and  mail  server.  Just  type  in  your 
domain  and  within  seconds,  DNSreport  runs  a  full  investigation  that  includes 
over  50  systematic  tests  and  thousands  of  analyses.  Just  one  click. 

And  your  job  just  got  a  whole  lot  easier. 
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check  now.  Just  go  to  www.DNSstuff.com. 


□1  DNSstuff.com 

WHEN  GOOD  ISN’T  GOOD  ENOUGH. 


Is  ignorance  of  the  law  a 

Carl  Malamud,  who  for  years  has  been  try¬ 
ing  to  let  you  have  Internet  access  to  gov¬ 
ernment  documents  you  supposedly 
should  have  access  to,  is  making  news  again. 

You  now  have  Internet  access  to  federal  court 
decisions,  Securities  and  Exchange  Commis¬ 
sion  documents,  patent  documents,  congres¬ 
sional  bills  and  copyright  registrations.You  can 
thank  Malamud  for  a  lot  of  this.  Nonetheless, 
too  many  state  and  local  governments  don’t 
seem  not  to  get  the  concept  that  the  public 
should  have  free  access  to  such  documents. 

An  article  in  The  New  York  Times  focuses  on  Malamud’s  current 
efforts  to  get  all  U.S.  laws,  as  well  as  standards  required  by  U.S.  law, 
freely  downloadable  over  the  Internet.lt  seems  Kafka-esque,  but  you  do 
not  have  open  access  to  some  of  the  laws  you  are  supposed  to  obey 
Around  half  of  U.S. states  claim  copyright  on  the  laws  their  legislatures 
are  working  on  and  pass.Too  many  use  this  claim  to  restrict  public 
access  to  the  laws  —  generally  because  they  have  worked  out  a  deal 
with  a  private  company  to  package  the  laws  with  ostensibly  useful 
additions,  then  sell  the  result. 

The  result  is  the  same  as  it  would  be  if  those  states  wanted  people  to 
not  know  the  law  so  the  state  could  always  have  some  way  to  arrest  its 
citizens  for  something. 

Progress  is  being  made,  even  if  slowly 

Too  many  courts  do  the  same  with  their  decisions  even  though  there 
have  been  rulings  going  back  to  Banks  v.  Manchester  in  1888  that  say 
court  decisions  should  be  public.  I’ve  run  into  dead  ends  too  often 
when  I  try  to  track  down  a  decision  while  researching  for  columns. 
Malamud  now  is  worrying  about  another  aspect  of  the  problem. 


design  goal? 

Almost  all  of  the  time,  the  codes  you  are  required  by  law  to  follow  for 
safety  when  you  build  a  house  or  design  a  product  are  sold  by  the 
groups  that  create  the  codes.This  also  is  a  case  of  being  told  by  the 
law  that  you  must  do  —  or  not  do  —  something,  but  not  being  able  to 
find  out  what  without  paying  for  the  information. 

A  few  years  ago  this  was  the  subject  of  a  legal  case  in  Texas  (the 
Veeck  case),  which  said  it  was  OK  to  post  codes  that  are  mandated  by 
law  for  free  access. 

Malamud’s  organization  is  posting  codes  from  all  over  the  country, 
much  to  the  annoyance  of  the  groups  that  develop  and  publish  them. 

It  is  not  just  codes  that  get  mandated  by  laws.  Some  laws  mandate 
specific  technical  standards.The  logic  in  the  Veeck  case  also  would 
apply  in  these  cases.This  is  not  a  problem  for  such  standards  develop¬ 
ment  organizations  as  the  IETF  and  World  Wide  Web  Consortium  and 
now  the  the  ITU  Telecommunication  Standardization  Sector,  which 
make  their  technical  standards  available  on  the  Internet  for  free.  It  is  a 
very  big  concern,  however,  to  the  many  standards  development  organi¬ 
zations  that  help  pay  for  their  organization’s  operation  with  the  money 
they  get  from  selling  their  standards. 

It  will  take  time,  but  my  money  (or  actually  non-money)  is  on 
Malamud.  It’s  going  to  get  progressively  harder  for  public  servants  to 
keep  the  public  from  the  things  they  pay  for  and  need  to  know. 

Disclaimer:  Education  at  Harvard  can  be  free  for  households  with 
incomes  of  up  to  $60,000  per  year,  and  not  all  that  expensive  for 
households  with  incomes  up  to  $120,000  per  year,  though  that  does 
not  mean  it’s  cheap.  But  the  university  has  not  expressed  an  opinion 
on  the  need  for  free  codes  and  standards, so  the  above  is  my  opinion. 

Bradner  is  Harvard  University's  technology  security  officer.  He  can  be 
reached  at  sob@sobco.com. 


_ _ 

NET  INSIDER 


Scott  Bradner 


Only  the  shadow  IT  knows  for  sure 


There’s  IT,  and  then  there’s  shadow  IT. 

Shadow  IT  is  all  the  technology  that  was 
neither  planned  nor  approved  by  any¬ 
one  but  gets  chosen,  deployed  and  used. 
Some  see  this  as  the  grass-roots  deployment 
of  cool  technologies;  some  see  it  as  weeds 
growing  from  any  crack  in  the  IT  plan.  If  you 
don’t  build  it,  they  will  go  find  it  elsewhere.  If 
you  build  it  and  it  isn’t  adequate,  compre¬ 
hensive,  flexible  and  easy  to  use,  they  will  go 
find  it  elsewhere. 

In  most  companies,  users  quite  comfort¬ 
ably  will  sidestep  any  IT  system  that  isn’t 
working  for  them  and  find  their  own.  Worse,  company  users  will 
seek  out  the  externally  hosted  offerings  that  they  use  as  con¬ 
sumers  and  adapt  them  to  business  use.  What  about  all  the  securi¬ 
ty  controls  you  carefully  deployed  to  protect  the  business?  There’s 
a  good  chance  that  users  see  security  controls  as  bugs,  and  seek 
external  solutions  precisely  because  they  are  unencumbered  by 
security. 

Enterprise  users  inevitably  will  make  comparisons  between  the 
applications  that  IT  serves  up  and  the  stuff  they  use  as  consumers. 
Nowadays,  for  every  enterprise  application  provided  by  corporate 
IT  there  seem  to  be  a  dozen  Web-based  alternatives  that  are  cooler 
and  better  designed,  and  can  be  mashed  up, shared  and  extended. 

Part  of  the  reason  for  all  the  hype  behind  enterprise  Web  2.0  is 
that  run-of-the-mill  enterprise  applications  look  so  bad  by  compar¬ 
ison.  Sure,  these  applications  have  better  controls,  audit  capabili¬ 
ties,  backup,  security,  reporting  and  workflow  mechanisms.  For 
most  employees,  however,  these  are  not  features,  they  are  encum¬ 
brances.  How  do  you  make  sure  your  employees  use  company- 


approved  applications  and  don’t  go  shopping  for  their  own  appli¬ 
cation  infrastructure? 

First  of  all,  saying  no  doesn’t  help. You  can  put  policies  and  con¬ 
trols  and  even  penalties  and  audits  in  place,  but  users  will  still 
seek  out  unauthorized  applications.  For  years  instant  messaging 
was  banned  in  many  companies  (it  probably  still  is  in  some). 
Network  audits  almost  always  show  plenty  of  “banned”  applica¬ 
tions  running  on  the  network.  If  you  crack  down  hard,  the  applica¬ 
tions  become  stealthy  (tunneling  encrypted  IM  over  HTTPS  over 
port-hopping  TCP  or  whatever).  I  personally  think  that  outright 
bans  serve  only  to  ossify  corporate  IT  further  by  removing  compe¬ 
tition  and  allowing  mediocre  applications  to  survive.  But  clearly 
you  don’t  want  a  free-for-all. 

A  much  better  approach  is  for  your  company  to  have  a  more 
balanced  security  program  that  emphasizes  training  and  aware¬ 
ness  as  much  as  controls  and  penalties.  After  all,  employees  aren’t 
being  insecure  deliberately.  Most  of  the  time  they  are  not  aware  of 
the  risks  in  applications  they  consider  to  be  more  flexible  or  eas¬ 
ier  to  share. 

IT  should  be  open  to  examining  external  applications.  Perhaps  you 
can  integrate  and  enable  that  new  application  securely  If  you  let 
employees  ask  for  new  applications  and  soberly  evaluate  them  in 
comparison  to  internally  developed  applications,  you  create  the 
opportunity  for  innovation  and  security. The  alternative  is  the  head-in- 
the-sand  approach:  Mandate,  prohibit,  control  and  penalize  —  and  be 
sidestepped  by  users  who  see  corporate  IT  and  security  as  dinosaurs 
impeding  the  flow  of  business. 

Antonopoulos  is  a  senior  vice  president  and  founding  partner  at 
Nemertes  Research,  an  independent  technology  research  firm.  He  can 
be  reached  at  andreas@nemertes.com. 
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Andreas  Antonopoulos 
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Collaboration  causes  net  problems 

Cisco  study  finds  changing  work  environments  increase  data-leakage  mistakes 


BY  JIM  DUFFY 

Numerous  behavioral  risks  taken  by  employ¬ 
ees  in  increasingly  distributed  and  remote 
locations  can  lead  to  the  loss  of  corporate 
information,  according  to  a  study  commis¬ 
sioned  by  Cisco. 

Cisco,  which  is  evangelizing  and  banking  a 
large  chunk  of  its  growth  on  collaboration, says 
that  as  workforces  become  increasingly 
mobile,  lines  are  blurring  between  work  life 
and  personal  life.  This  could  lead  to  risky  or 
reckless  use  of  company  IT  resources,  resulting 
in  leakage  of  sensitive  data,  the  company  says. 

“Businesses  are  enabling  employees  to 
become  increasingly  collaborative  and  mo¬ 
bile”  said  John  Stewart,  Cisco  CSO,  in  a  state¬ 
ment.  “Without  modern-day  security  technolo¬ 
gies,  policies,  awareness  and  education,  infor¬ 
mation  is  more  vulnerable.” 

The  study  conducted  by  InsightExpress  and 
commissioned  by  Cisco,  is  based  on  surveys  of 
more  than  2,000  employees  and  IT  profession¬ 
als  in  10  countries.  It  is  intended  to  examine 
security  and  data  leakage  implications  for  busi¬ 
nesses  as  employee  lifestyles  and  work  envi¬ 
ronments  are  becoming  increasingly  unteth¬ 
ered  from  a  fixed  location.  It  also  identifies 
common  data  leakage  mistakes  and  risk  man¬ 
agement  opportunities  among  workforces 
around  the  world  as  this  new  workplace  para¬ 


BY  NANCY  GOHRING,  IDG  NEWS  SERVICE 

Companies  can  now  buy  a  network  appli¬ 
ance  from  Cisco  that  runs  basic  Windows 
Server  2008  functions,  a  product  designed  for 
use  in  branch  offices,  Cisco  and  Microsoft 
announced  last  week. 

The  companies  said  in  February  that  they 
were  working  on  a  way  for  enterprises  to  run 
Windows  Server  2008  services  locally  at  a 
branch  office  on  Cisco’s  Wide  Area  Applica¬ 
tion  Services  networking  appliance.  The  alter¬ 
native  for  many  companies  is  either  to  use  a 
full  Windows  Server  at  every  branch,  which 
could  be  overkill,  or  run  all  features  centrally 
which  could  result  in  slow  performance  for 
branch  workers. 

With  the  new  product,  called  Windows 
Server  on  WAAS,  branch  offices  can  host  ser¬ 
vices  locally,  including  Active  Directory,  Micro¬ 
soft  Print  Services,  Microsoft  Domain  Name 
System  Server  and  Microsoft  Dynamic  Host 
Configuration  Protocol  Server.  That  can 
improve  performance  for  branch  workers  and 
reduce  costs  related  to  wide  area  network 
connectivity  and  branch  systems  manage- 


digm  is  increasingly  adopted. 

The  study  surveyed  1,000  employees  and 
1,000  IT  professionals  from  various  industries 
and  company  sizes  in  10  countries:  the  United 
States,  the  United  Kingdom,  France,  Germany 
Italy  Japan,  China,  India,  Australia  and  Brazil. 
The  countries  were  chosen  because  they  rep¬ 
resent  a  diverse  set  of  social  and  business  cul¬ 
tures,  established  and  emerging  network- 
dependent  economies  and  varied  levels  of 
Internet  adoption,  Cisco  says. 

The  10  most  noteworthy  behavioral  findings, 
according  to  Cisco,  were: 

1.  Altering  security  settings  on  computers: 
One  of  five  employees  altered  security  settings 
on  work  devices  to  bypass  IT  policy  so  they 
could  access  unauthorized  Web  sites.  More 
than  half  said  they  simply  wanted  to  access  the 
site  while  one-third  said, “it’s  no  one’s  business” 
which  sites  they  access. 

2.  Use  of  unauthorized  applications:  Seven  of 
10  IT  professionals  said  employee  access  of 
unauthorized  applications  and  Web  sites  ulti¬ 
mately  resulted  in  as  many  as  half  of  their  com¬ 
panies’  data  loss  incidents.This  belief  was  most 
common  in  the  United  States  (74%)  and  India 
(79%). 

3.  Unauthorized  network/facility  access:  In 
the  past  year,  two  of  five  IT  pros  dealt  with 
employees  accessing  unauthorized  parts  of  a 


ment.  An  IT  administrator  can  remotely  man¬ 
age  the  Windows  Server  functions  using 
Microsoft  System  Center. 

Cisco  used  embedded  virtualization  tech¬ 
nology  in  its  appliance  to  enable  Windows 
Server  2008  to  run  on  it. 

Some  companies  that  had  early  access  to 
the  product  describe  their  experiences  on  a 
Web  site  set  up  by  Microsoft  and  Cisco.  Farm 
Credit  Services  of  Mid-America  had  180  Win¬ 
dows  Servers,  including  one  in  nearly  every 
branch,  said  Jim  Curtis,  director  of  infrastruc¬ 
ture.  His  goal  with  Windows  Server  on  WAAS  is 
to  move  most  of  the  branch  servers  to  the 
company’s  data  center  to  make  better  use  of  a 
small  infrastructure  support  staff. 

He  currently  runs  Active  Directory  centrally, 
but  once  the  appliance  setup  is  complete  he 
could  move  Active  Directory  to  the  branches 
as  a  read-only  function,  improving  log-in  times 
for  workers  and  mitigating  potential  security 
issues,  he  said. 

Pricing  for  Windows  Server  on  WAAS  starts  at 
$10,000,  including  the  hardware  and  the  soft¬ 
ware  license.  ■ 


network  or  facility  Of  those  who  reported  this 
issue  globally  two-thirds  encountered  multiple 
incidents  in  the  past  year  and  14%  encoun¬ 
tered  this  issue  monthly 

4.  Sharing  sensitive  corporate  information: 
One  of  four  employees  admitted  verbally  shar¬ 
ing  sensitive  information  to  non-employees, 
such  as  friends,  family  or  even  strangers.  When 
asked  why  some  of  the  most  common  answers 
included,  “1  needed  to  bounce  an  idea  off 
someone,’ ’“I  needed  to  vent”  and  “I  did  not  see 
anything  wrong  with  it.” 

5.  Sharing  corporate  devices:  Almost  half  of 
the  employees  surveyed  share  work  devices 
with  others,  such  as  non-employees,  without 
supervision. 

6.  Blurring  of  work  and  personal  devices, 
communications:  Almost  two  of  three  employ¬ 
ees  admitted  using  work  computers  daily  for 
personal  use.  Activities  included  music  down¬ 
loads,  shopping,  banking,  blogging  and  partici¬ 
pating  in  chat  groups.  Half  of  the  employees 
use  personal  e-mail  to  reach  customers  and 
colleagues,  but  only  40%  said  this  is  authorized 
by  IT. 

7.  Unprotected  devices:  At  least  one  in 
three  employees  leave  computers  logged  on 
and  unlocked  when  they’re  away  from  their 
desk.  These  employees  also  tend  to  leave 
laptops  on  their  desks  overnight,  sometimes 
without  logging  off,  creating  potential  theft 
incidents  and  access  to  corporate  and  per¬ 
sonal  data. 

8.  Storing  logins  and  passwords:  One  in  five 
employees  store  system  logins  and  passwords 
on  their  computer  or  write  them  down  and 
leave  them  on  their  desk,  in  unlocked  cabinets 
or  pasted  on  their  computers.  In  some  coun¬ 
tries  such  as  China,  28%  of  employees  reported 
storing  logins  and  passwords  to  personal  finan¬ 
cial  accounts  on  their  work  devices. 

9.  Losing  portable  storage  devices:  Almost 
one  in  four  employees  carries  corporate  data 
on  portable  storage  devices  outside  of  the 
office. 

10.  Allowing  “tailgating”  and  unsupervised 
roaming:  More  than  one  in  five  German 
employees  allow  non-employees  to  roam 
around  offices  unsupervised.  The  study  aver¬ 
age  was  13%,  and  18%  have  allowed  unknown 
individuals  to  tailgate  behind  employees  into 
corporate  facilities. 

Cisco  says  these  findings  can  help  compa¬ 
nies  sculpt  global  risk  management  plans.  To 
prevent  data  loss,  the  company  recommends 
practices  for  preventing  data  loss,  including: 

•  Know  how/where  data  is  stored,  accessed 
and  used. 

•  Protect  data  like  it’s  money  —  educate 
employees  how  data  protection  equates  to 
money  earned  and  money  lost.B 


Cisco,  Microsoft  roll  out  server 


24  «  OCTOBER  6,  2008  •  www.networkworld.com 


Reinventing  storage  virtualization 

The  key  is  the  ability  to  virtualize  physical  LUNs  without  remapping 


TECH  UPDATE 

An  inside  look  at  technologies  and  standards 


BY  HU  YOSHIDA 

The  initial  approach  to  storage  virtualization, which  has  been  around 
for  years,  was  to  address  virtualization  in  the  storage-area  net¬ 
work  because  the  SAN  sat  between  the  storage  and  servers  and 
would  cause  the  least  disruption  to  these  systems.  However,  after  nearly  a 
decade,  this  approach  has  not  taken  off  while  server  virtualization  has 
become  widely  accepted.  What  needs  to  be  changed  to  make  storage  vir¬ 
tualization  as  ubiquitous  as  server  virtualization? 


Before  the  advent  of  server  virtualization 
servers  were  configured  for  peak  load  but 
most  of  the  time  sat  idling,  resulting  in  average 
utilization  rates  in  the  low  teens.  Many 
attempts  were  made  to  consolidate  applica¬ 
tions  on  servers  to  utilize  idle  cycles,  but  it  was 
difficult  to  convert  applications  between  dif¬ 
ferent  operating  systems.  The  breakthrough 
came  with  the  ability  to  virtualize  the  server  so 
it  could  run  any  operating  system,  enabling 
applications  to  be  consolidated  without  con¬ 
verting  them. 

The  utilization  of  storage  systems  also  is  low, 
typically  in  the  20%  to  30%  range.  Storage  gets 
stranded  because  application  owners  do  not 
want  to  share  storage  and  risk  having  other 
applications  impact  performance  or  availabil¬ 
ity  Because  most  open  systems  do  not  allow 
storage  volumes  to  be  expanded  as  the  appli¬ 
cation  generates  more  data,  the  common 
management  practice  is  to  simply  overallo¬ 
cate  storage  capacity  While  the  declining  cost 
of  storage  helps  limit  the  expense  of  that 
practice,  the  operational  cost  for  environ- 
mentals,  change  management,  backup/- 
recovery,  technology  refresh,  and  search  and 
discovery  escalates  as  storage  capacity 
becomes  increasingly  oversubscribed  and 
underutilized. 

Storage  for  open  systems  is  presented 
through  logical  unit  numbers  (LUN)  or  vol¬ 
umes  that  a  storage  system  carves  out  of  a 
RAID  array  group  of  physical  disk  drives  and 
presents  to  the  application. This  process  of  cre¬ 
ating  and  managing  LUNs  is  vendor  unique.  In 
order  to  virtualize  storage  from  different  stor- 


Got  great  ideas? 

■  Network  World  is  looking  for  great 
ideas  for  future  Tech  Updates.  If  you’ve 
got  one,  and  want  to  contribute  it  to  a 
future  issue,  contact  Editor  in  Chief 

John  Dix  (jdix@nww.com) 


age  systems,  the  difference  in  LUN  or  volume 
management  must  be  masked. 

Early  attempts  at  storage  virtualization  tried 
to  address  this  problem  by  remapping  hetero¬ 
geneous  LUNs  to  a  common  virtual  LUN  for¬ 
mat  for  presentation  to  the  host  systems.  But 
remapping  introduced  another  layer  of  opera¬ 
tional  and  management  complexity  that  in¬ 
hibited  acceptance  of  this  approach. 

The  breakthrough  came  with  the  ability  to 
virtualize  physical  LUNs  without  the  need  to 
remap  them  by  using  a  virtualization  tech¬ 
nique  based  on  storage  control  units.  LUNs 
are  configured  in  the  external  storage  sys¬ 
tems  in  their  vendor-specific  way.  These 
LUNs  are  then  connected  to  the  virtualiza¬ 
tion  control  unit  over  Fibre  Channel  ports  as 
though  they  were  connecting  to  a  host  serv¬ 
er.  Software  in  the  control  unit  discovers  the 
LUNs  on  the  Fibre  Channel  port  and  pre¬ 
sents  them  through  the  control  unit’s  cache 
to  an  application  server  as  if  the  LUNs  were 
its  own. 

This  approach  does  not  remap  the  LUN,  but 
enables  LUNs  from  different  systems  to  be 
managed  with  the  common  management 
tools  of  the  storage  virtualization  control  unit. 
The  LUN  image  is  presented  inside  the  control 
unit  cache  and  inherits  all  the  services  that  are 
available  in  that  unit,  such  as  copy,  move  and 
replicate.  There  is  no  need  to  reinvent  these 
functions  for  the  purposes  of  virtualization. 
Lower-level  storage  can  improve  its  native  per¬ 
formance  by  connecting  through  the  large 
high-performance  cache  of  the  virtualization 
control  unit. 

This  approach  to  storage  virtualization  is 
simple  to  implement.  It  masks  the  complexity 
of  managing  heterogeneous  storage  systems 
and  can  aggregate  the  existing  storage  control 
unit  services  to  enhance  lower-level  storage 
systems.  Because  virtualization  is  done  at  the 
control  unit  level,  it  is  not  limited  to  SAN  con¬ 
nections  and  it  provides  storage  virtualization 
to  any  application  server  that  connects 
through  standard  protocols  such  as  Fibre 
Channel,  ESCON,  FICON,  network-attached 


storage  (NAS), SAN  and  direct  attach. 

Another  feature  that  has  been  missing  in 
early  storage  virtualization  approaches  is  par¬ 
titioning,  which  guarantees  users  who  share 
virtualized  storage  safe  multitenancy  and  QoS. 
In  server  virtualization,  time  slicing  is  used  to 
partition  virtual  servers  and  QoS  can  be  man¬ 
aged  by  controlling  the  allocation  of  time 
slices. 

In  storage  virtualization,  users  who  share  a 
pool  of  storage  resources  must  be  guaranteed 
safe  multitenancy  which  means  other  users 
who  share  the  same  virtual  storage  resources 
will  not  be  able  to  access  their  data  nor 
impact  performance.  With  a  controller-based 
virtualization  approach,  partitioning  can  be 
done  through  cache  addressing  and  port  pri¬ 
ority  processing.  Partitioning  can  be  done 
close  to  the  physical  storage,  where  it  can  be 
enforced. 

The  time  is  right  for  storage  virtualization,  but 
only  if  storage  virtualization  approaches  can 
provide  these  basic  capabilities: 

•  Use  existing  LUNs  from  heterogeneous 
storage  systems  and  avoid  the  complexity  of 
remapping  LUNs  to  keep  it  simple 

•  Provide  storage  virtualization  for  all  stor¬ 
age  users,  whether  they  are  direct  attach,  SAN, 
NAS,  Fibre  Channel,  ESCON,  FICON  and  so  on. 

•  Aggregate  storage  services  and  make  them 
available  as  reusable  services  to  enhance 
lower-level  storage  systems. 

•  Provide  users  the  ability  to  safely  share 
resources  without  impacting  their  security 
availability  or  performance  requirements. 

Storage  virtualization  simplifies  today’s  in¬ 
creasingly  complex  storage  environment, 
allowing  organizations  to  simplify  the  man¬ 
agement  of  their  infrastructures  and  consol¬ 
idate  storage  systems  from  different  vendors 
into  one  pool  of  storage. 

It  also  lets  organizations  mask  the  complex¬ 
ity  of  the  underlying  physical  structure  and 
greatly  increase  utilization  through  the  use  of 
thin  provisioning,  the  ability  to  provision  stor¬ 
age  capacity  as  it  is  actually  used  and  provide 
it  as  a  service  to  storage  systems  that  do  not 
have  that  capability  Storage  virtualization  also 
brings  about  significant  cost  reductions  and 
efficiencies  by  reducing  the  need  for  addi¬ 
tional  storage  management  tools,  licenses  and 
administrators. 

Storage  virtualization  will  deliver  signifi¬ 
cant  efficiencies,  cost  savings,  power  and 
cooling  benefits,  as  well  as  greater  agility  in 
aligning  storage  infrastructure  to  business 
requirements. 

Yoshida  is  CTO  of  Hitachi  Data  Systems 
( www.hds.com ). 
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A  better  portable  video  tool 


Mark  Gibbs 


few  weeks  ago  I  discussed  the  Flip  Mino,  a 
miniature  digital  movie  camera  that  quite 
l  impressed  me. 

Well, the  bar  has  been  raised.  Kodak  sent  me  its 
latest  digicam,  the  Zi6  Pocket  Video  Camera.  I 
GEARHEAD  liked  the  Mino  but  this  product  is  a  better  choice. 

It’s  roughly  the  same  size  as  the  Mino  (2.5  by 
4.5  by  0.9  inches)  and  roughly  the  same  weight 
(3.8  ounces),  but  the  physical  design  is  better. 

Where  the  Zi6  really  ups  the  ante  is  that  it  takes  HD  video. While  it  can 
shoot  at  VGA  resolution,  it  also  shoots  in  720p,  16:9  format  at  either  30 
fps  or  60  fps.  It  also  uses  standard  rechargeable  AA  NiMH  batteries  (the 
Mino’s  battery  is  internal), has  a  flip-out  USB  connector  (like  the  Mino), 
and  takes  SD/SDHC  cards  (the  Mino  has  no  expansion  capability). 

But  the  Zi6  comes  with  a  measly  128MB  of  built-in  storage,  which  is 
only  big  enough  for  about  30  seconds  of  shooting  in  HD  format  at  60  fps. 

Another  thing:  The  Zi6  also  has  a  really  irritating  start-up  tune.  Accor¬ 
ding  to  the  product  manual  this  can  be  switched  off  in  the  control 
menu,  but  in  the  unit  I  received  no  such  menu  exists  (this  is  the  kind  of 
thing  that  makes  me  feel  sorry  for  consumers). 

Bottom  line:  At  the  same  price  as  the  Mino,  $180,  the  Zi6  is  a  much  bet¬ 
ter  value,  even  though  to  get  the  same  amount  of  storage  as  the  Mino 
will  cost  you  another  $20  or  so.  I’ll  give  the  Kodak  Zi6  Pocket  Video 
Camera  4.5  out  of  5. 

So,  a  few  weeks  ago  I  started  working  on  a  podcast  (it’s  unrelated  to 
IT)  and  I  needed  to  get  better  audio  on  my  laptop  for  recording  (it’s  a 
Sony  VGN  T250,  which  is  a  great  machine  except  for  its  crappy  audio). 
The  quick  and  dirty  solution?  A  Griffin  Technology  iMic. 

The  disk-shaped  iMic  is  a  USB  audio  adapter  that  provides  stereo-in 
and  stereo-out  ports  outside  of  the  PC,  removing  the  noise  source. 


The  iMic  is  inexpensive  ($50)  and  simple  to  use,  and  it  provides  a  way 
of  getting  pretty  good  sound  in  and  out  of  your  PC  without  the  noise 
and  distortion  that  is  common  with  most  built-in  sound  hardware. 

The  disadvantage  is  that  the  iMic  isn’t  professional  grade,  and  Griffin 
is  cagey  about  committing  to  definitive  specs  (not  unreasonable 
given  the  price). That  said,  it’s  good  enough  for  anything  but  classical 
music. 

The  iMic  converts  incoming  analog  audio  into  24-bit  digital  samples 
at  48KHz,but  PC  audio  subsystems  that  use  Microsoft’s  high-latency  low- 
resolution  audio  Windows  Driver  Model  (WDM)  drivers  limit  the  input 
and  output  to  1 6-bit,  48KHz  sampling. 

If  you  want  better  audio  performance  out  of  the  iMic  you’ll  need  to 
use  something  like  the  excellent  and  free  ASI04ALL,  which  routes 
around  the  native  WDM  drivers  and  implements  a  standard  called 
Audio  Stream  Input/Output  (ASIO)  that  provides  low  latency  and  high 
sample  resolution. 

If  you  want  to  use  the  iMic  with  software  such  as  Adobe’s  excellent 
audio  editing  application  Soundbooth, you’ll  have  to  install  an  ASIO  dri¬ 
ver.  Sou  ndbooth  won’t  work  with  WDM  drivers  for  output  (at  least  that’s 
the  situation  with  Soundbooth  CS3  —  Adobe  just  released  CS4  and  I’m 
waiting  for  a  copy  to  test). 

When  the  iMic  is  installed  (you  may  need  to  reboot  to  get  Windows 
to  recognize  the  new  audio  services)  you  get  good,  low-noise  audio.  But 
there’s  a  small  problem:  It  appears  that  not  all  software  understands  the 
iMic  USB  drivers.  I  discovered  this  when  I  started  testing  an  interesting 
Internet  audio  application,  Radiotracker  5  Platinum,  that  I’ll  discuss  in  a 
week  or  two. 

Gibbs  has  it  all  lined  up  in  Ventura,  Calif.  What's  in  your  queue?  Tell  gear 
head@gibbs.com. 


RealDVD:  Get  it  while  you  can 
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The  scoop:  RealDVD  software,  by  Real¬ 
Networks,  about  $30  (introductory  price). 

What  it  is:  RealDVD  lets  users  save  DVDs  that 
they  own  onto  their  computer’s  hard  drive  (in¬ 
ternal  or  external  drive). Once  copied,  users  can 
watch  the  content  on  their  computers.  The  soft- 
COOLTOOLS  ware  makes  a  complete  copy  of  the  DVD.View- 
ing  the  movie  in  the  software  requires  no  addi¬ 
tional  RealPlayer  or  other  player  software,  and  a 
“play  and  save”  feature  lets  users  watch  the  content  play  while  the  soft¬ 
ware  transfers  the  content  in  the  background.  Copying  a  DVD  takes 
about  10  to  40  minutes,  depending  on  the  speed  of  your  computer,  the 
optical  drive  and  storage  device.  On  average,  a  copied  DVD  takes  up 
about  4GB  to  8GB  of  space. 

Why  it’s  cool:  The  goals  of  the  software  are  to 
allow  people  to  make  a  “fair  use”  copy  of  DVDs 
they  own  for  personal  storage/backup,  as  well 
as  give  notebook  users  a  way  to  watch  movies 
when  they’re  traveling  without  having  them  to 
lug  along  stacks  of  DVDs.The  software  is  easy 
to  use, and  the  interface  is  beautiful  to  look  at. 

Is  this  legal?  That’s  the  big  question,  espe¬ 
cially  with  high-profile  cases  in  the  past  still 
in  a  gray  area.  After  releasing  the  software, 

RealNetworks  filed  suit  against  Hollywood 
studios,  asking  a  judge  to  declare  that  the 
software  was  OK.  RealNetworks  says  the 
software  is  fully  licensed  by  the  DVD  Copy 
Control  Association  and  is  in  compliance 
with  the  agreement.  The  company  says  it 
does  not  enable  users  to  distribute  copies 


of  their  DVDs  —  in  fact, “it  adds  another  layer  of  digital  rights  manage¬ 
ment  encryption  that  locks  the  DVD  copy  to  the  owner’s  computer  to 
ensure  the  content  cannot  be  improperly  copied  or  shared.”  It’s  also 
basing  its  software  on  another  court  case,  in  which  a  trial  court  allowed 
the  distribution  of  a  product  similar  to  RealDVD. 

This  extra  protection  was  evident  in  my  tests  of  the  software  —  after 
copying  a  movie  to  an  external  hard  drive,  I  thought  I  could  copy  the 
movie  to  a  second  hard  drive  and  still  play  it  on  my  computer,  but  the 
software  prevented  me  from  doing  this. 

Some  caveats:  Some  of  the  protections  that  RealNetworks  is  putting  in 
the  software  make  it  harder  for  the  user  to  fully  enjoy  the  product.  If  you 
get  the  software,  make  your  decision  about  where  you’re  going  to  store 
the  copy  first  (external  or  internal  hard  drive),  and  make  sure  it’s  got  a  lot 

of  space.  In  addition,  RealDVD  allows  as 
many  as  four  additional  licenses  of  the  soft¬ 
ware,  but  you  have  to  pay  an  additional 
$19.99  for  each  one. 

Some  other  minor  points  —  the  Gracenote 
database  used  to  identify  DVDs  for  box  art 
and  titles  sometimes  didn’t  work;  and  long 
periods  of  copying  tended  to  slow  down 
(and  heat  up)  the  optical  drive  and  external 
hard  drive. 

Bottom  line:  Get  the  software  while  you 
can  (RealNetworks  offers  a  30-day  trial),  in 
case  the  lawyers  start  to  muck  it  up. 

Grade:  ★★★★  (out  of  five). 

Shaw  can  be  reached  at  kshaw@nww.com. 
New  Cool  Tools  videos  and  Twisted  Pair  pod¬ 
cast  every  week  at  www.networkworld.com. 


Top-to-Bottom  Reporting 


Top-Floor  Reports,  First-Floor  Detail. 

Report  network  wide  without  sacrificing  granularity,  with  the  new 
Observer  Reporting  Server.  Report  by  department  or  function  to  see  how 
problems  impact  your  business.  Plan  better  with  custom  reports  and 
trending.  Drill  into  individual  links  or  user  data  and  interface  flawlessly  with 
Observer51  and  GigaStor,M  for  back-in-time  analysis  and  rapid  resolution. 
Enterprise-wide  reporting  with  drill-down  detail:  now  you  can  have  it  both  ways. 

■ 

—  Don't  just  report:  Resolve. 


NETWORK 
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For  more  information,  call  800-526-5958 
www.Networklnstruments.com/resolve 
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ft  GLOW- 


BY  CAROLYN  DUFFY  MAR8AN 

the  U.S.tech  industry  politicians 
hands  over  the  escalating  prob¬ 
lem  of  spam. 

Back  then, 45%  of  all  emails  were  unwanted  pitches  for  such  products 
as  Viagra,  penny  stocks  or  porn  sites.  An  estimated  15  billion  spam  mes¬ 
sages  were  sent  over  the  Internet  daily  in  2003,  prompting  74%  of  online 
adults  to  favor  a  law  that  would  make  mass  spamming  illegal. 

Statistics  like  these  prompted  Congress  to  pass  a  landmark  antispam 
bill  known  as  the  CAN-SPAM  (Controlling  the  Assault  of  Non-Solicited 
Pornography  and  Marketing)  Act  in  December  2003. 

Fast-forward  five  years. 

The  number  of  spam  messages  sent  over  the  Internet  every  day  has 
grown  more  than  10-fold,  topping  164  billion  worldwide  in  August  2008. 
Almost  97%  of  all  e-mails  are  spam, costing  U.S.ISPs  and  corporations  an 
estimated  $42  billion  a  year. 

The  content  of  spam  has  changed,  too.  In  2003, spam  was  an  annoying 
or  offensive  come-on  to  buy  a  product.  Today  more  than  83%  of  spam 
contains  a  URL  for  a  Web  site  that  is  trying  to  infect  computers  with  mali¬ 
cious  software. 

Law  enforcement  officials  have  prosecuted  dozens  of  spammers 
under  the  CAN-SPAM  Act  and  won  some  high-profile  cases,  such  as 
putting  pharmacy  spam  king“Rizler”behind  bars  for  30  years  and  award¬ 
ing  MySpace  damages  of  $234  million  from  two  spammers. 

Nonetheless,  CAN-SPAM  has  done  little  to  deter  spammers.  So  much 
for  the  legislation  that  lawmakers  once  said  was  the  “best  tool  we  have” 
for  eradicating  spam  and  putting  spammers  in  the  slammer. 

CAN-SPAM  “is  mostly  a  flop,”  says  Jaime  de  Guerre,  CTO  of  antispam 
vendor  Cloudmark.“I  think  [legislation]  is  rather  futile  anyways  because 
the  attackers  are  so  advanced  in  their  threats,  and  it’s  so  hard  to  detect 
where  they  are  coming  from.” 

“CAN-SPAM  was  not  the  solution  that  many  people  hoped  it  would  be,” 
adds  Ray  Everett  Church,  director  of  policy  and  professional  services  at 
Habeas,  which  sells  e-mail  reputation  services.“As  the  ultimate  solution 
to  spam.it  was  definitely  a  bust.  As  a  first  step  toward  pushing  the  mar- 


Five  years  ago, 

and  Internet  users  were  wringintftheir 


ketplace  in  a  reasonable  direction,  it  was  OK.” 

Industry  observers  say  the  CAN-SPAM  Act  of  2003  wasn’t  a  complete 
failure  because  it  defined  spam.  It  prompted  legitimate  email  senders  to 
improve  their  online  marketing,  and  it  led  to  several  high-profile  convic¬ 
tions  of  spammers  in  conjunction  with  other  fraud  laws. 

CAN-SPAM  “sets  some  basic  standards  for  the  industry  that  have 
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been  useful  in  encouraging  companies  to  follow  good  e-mail  practices,”  Church  says.“What  it 
hasn’t  done  is  stop  the  bad  guys  from  being  bad.  I  don’t  think  anybody  really  believed  CAN- 
SPAM  would  do  that.” 

The  CAN-SPAM  Act  of  2003  provides  a  framework  for  commercial  e-mail  senders  —  a  mini¬ 
mum  set  of  rules  that  companies  must  follow  to  ensure  that  their  online  sales  pitches  are  not 
dubbed  spam. 

Most  e-retailers  and  newsletter  publishers  go  beyond  CAN-SPAM  and  use  an  opt-in  mecha¬ 
nism  for  consumers  to  request  e-mail  promotions  instead  of  the  law’s  lesser  requirement  of  an 
opt-out  mechanism. 


“The  primary  thing  that  CAN-SPAM  was  successful  at  is  giving  a  clearer 
message  to  legitimate  companies  about  how  to  use  e-mail  in  direct  market¬ 
ing  and  how  to  do  it  appropriately  says  Graham  Cluley  senior  technology 
consultant  at  Sophos,  a  security  software  vendor.  “It  made  a  distinction 
between  the  really  bad  guys  on  the  one  hand, and  incompetent  companies 
on  the  other  hand.” 

Legitimate  e-mail  senders  quickly  complied  with  CAN-SPAM  to  avoid 
being  fined  or  jailed. That’s  why  the  law  has  reduced  the  number  of  con¬ 
sumer  complaints  lodged  against  legitimate  companies. 

“It  has  created  better  e-mail  hygiene  for  legitimate  senders,”  de  Guerre 
says.“In  the  past,  they  may  have  struggled  with  a  message  falling  in  the  grey 
area  and  being  called  spam.  CAN-SPAM  does  help  a  bit  in  that  area.” 


A  tool  for  prosecutors 

Another  positive  of  CAN-SPAM  is  that  it  has  led  to  more  spammers  being 
caught,  prosecuted  and  convicted. “The  good  news  is  that  we  constantly 
see  headlines  of  spammers  sent  to  jail,  but  they  are  the  tip  of  the  iceberg. 
There  are  other  spammers  waiting  to  jump  in,”  Cluey  says. 

CAN-SPAM  provides  a  tool  for  law-enforcement  agencies  to  use  to  pros¬ 
ecute  spammers. 

“Lawyers  were  having  to  work  overtime  to  stretch  existing  laws  to  cover 
what  was  going  on  with  spam.  Issues  like  falsified  headers  were  not  clear- 
cut  legal  offenses,”  Church  explains.'A  lot  of  folks  were  saying: ‘What  can 
we  do  to  give  some  teeth  to  legal  efforts  to  try  to  stop  spam?’There  were  a 
number  of  different  proposals  over  many  years,  and  the  one  that  carried 
the  day  was  the  CAN-SPAM  Act.” 

CAN-SPAM  allows  the  Federal  Trade  Commission,  the  Justice  Depart¬ 
ment  and  state  agencies  to  prosecute  spammers,  and  it  allows  ISPs  to  sue. 

The  FTC  has  brought  around  30  law-enforcement  actions  under  the 
CAN-SPAM  Act,  according  to  a  staff  report  issued  in  November  2007. 
Meanwhile,  AOL,  Yahoo,  EarthLink  and  Microsoft  have  sued  hundreds  of 
alleged  spammers  under  CAN-SPAM. 

“One  of  the  other  good  things  about  CAN-SPAM  is  that  it  provided  the  abil¬ 
ity  for  end  users  and  ISPs  who  are  victims  of  spam  to  seek  justice  on  their 
own  behalf,  and  a  number  of  them  have  taken  advantage  of  that  fact,”  says 
Dmitri  Alperovitch,  director  of  intelligence  analysis  at  Secure  Computing. 

CAN-SPAM  is  one  of  several  laws  —  including  computer  fraud,  mail  fraud, 
theft  and  tax  evasion  —  used  to  prosecute  spammers. 

“CAN-SPAM  gets  dragged  into  lots  of  cases,  but  it  is  still  being  interpreted 
by  the  courts.  So  it’s  unclear  how  effective  it  can  be  at  catching  the  bad 
guys,”  Church  says.  “There  have  been  a  few  high-profile  cases  where  CAN- 
SPAM  is  part  of  the  case. . . .  But  there’s  not  this  massive  army  of  law  enforce¬ 
ment  agencies  who  have  the  time  and  the  resources  to  bring  these  cases.” 
Still,  the  law  hasn’t  been  much  of  a  deterrent  to  other  spammers. 
CAN-SPAM  “certainly  doesn’t  help  in  the  ability  to  detect  and  catch 
spammers,  which  is  one  of  the  hardest  areas  in  any  attempt  at  prosecuting 
them,”de  Guerre  says.“It’s  generally  ignored  by  the  spammers.  I  don’t  think 
the  spammers  take  it  seriously’ 

Five  years  after  the  passage  of  CAN-SPAM, spam  is  at  an  all-time  high. 
“Obviously,  [CAN-SPAM]  didn’t  stop  spam.  Spam  is  bigger  than  ever,” 
Secure  Computing’s  Alperovitch  says. “Anybody  who  expected  a  law  to 
eliminate  spam  overnight  was  wildly  optimistic. We  have  statutes  against 
financial  fraud,  and  we  have  had  them  for  hundreds  of  years,  but  that 
doesn’t  stop  bank  robberies.” 

Spam  levels  are  so  high  —  representing  96.5%  of  all  e-mail  —  that  only  1  in  28  e-mails  sent  over 
the  Internet  is  legitimate,  Sophos  says. 

“Most  businesses  don’t  realize  how  bad  spam  is  because,  thankfully  there  are  gateways  and  anti¬ 
spam  filters  that  are  stopping  it, ’’Cluley  says.“But  the  Internet  providers  are  feeling  the  pain. And  the 
IT  department  is  feeling  the  pain."  See  Spam,  page  32 


SPAM  KINGS 


Here’s  our  list  of  the  scariest  ’ 
spammers  ever  put  behind  bars 
If  you  have  any  doubt  that  spammers 
are  criminals,  take  a  look  at  our  list  of 
the  Internet’s  worst  spam  kings.These 
bad  guys  didn't  just  send  out  e-mails 
hawking  herbal  remedies,  mortgages 
and  penny  stocks.They  were  scam 
artists  who  were  found  guilty  of  such 
crimes  as  identity  theft,  tax  evasion  and 
money  laundering.  One  of  these  spam¬ 
mers  escaped  from  jail  and  went  on  a 
killing  spree.  Read  on  to  find  out  why 
law  enforcement  agencies  need  to  keep 
putting  spammers  in  the  slammer. 


SPAMMER  AND  FAMILY  DEAD  IN 
APPARENT  MURDER-SUICIDE 

Davidson  escaped  from  prison  and  went 
on  a  killing  spree 

Edward  Davidson,  35,  is 
the  poster  child  for  why 
spammers  need  to  be 
prosecuted.  In  April 
2008,  Davidson  pleaded 
guilty  to  tax  evasion  and 
falsifying  e-mail  headers  on  messages 
advertising  penny  stocks.  He  was  sen¬ 
tenced  to  21  months  in  a  minimum-securi¬ 
ty  federal  prison  camp  in  Colorado.  A  few 
days  after  his  July  2008  escape  from 
prison,  Davidson  was  found  shot  dead  in 
an  SUV,  along  with  his  wife  and  3-year-old 
daughter.  Spared  were  his  7-month-old 
son  and  a  teenage  daughter,  who  survived 
a  gunshot  wound  to  the  neck. 


ONLINE  DRUG  LORD  SENTENCED 
TO  30  YEARS  IN  JAIL 

Spammer’s  death  threat  prompted 
lengthy  prison  stay 

Christopher  Smith,  28, 
made  millions  selling 
discounted  Viagra  and 
other  drugs  through  an 
illegal  Internet  pharm- 
/i  ^  acy.  In  August  2007, 

Smith  lost  all  of  that  cash,  along  with  his 
freedom  for  the  next  30  years.  He  was 
convicted  of  conspiracy,  money  launders; 


ing  and  illegal  distribution  of  drugs.  A., 
federal  judge  in  Minnesota  threw  thefe/ 


book  at  Smith,  aka  “Rizler,”  after  he, 
made  a  death  threat  against  the  chiJdn 
of  a  witness  in  his  trial. 


Business  processes  and  services  leave  a  measurable  carbon  footprint.  So  how  do  you 
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applications  into  reusable  services-giving  you  greater  agility  across  business  processes 
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Of  particular  concern  is  the  number  of  bot¬ 
nets  that  spammers  control. 

“What  the  spammers  have  done  is  use  botnets 
to  generate  huge  amounts  of  mail,”  says  Tim 
Shine,  CTO  of  SpamTitan,  an  antispam  vendor. 
“This  has  increased  the  amount  of  spam  that  is 
being  sent  by  about  50%  since  last  year  in 
Europe  and  North  America.” 

Spam  is  more  vicious  today  due  to  e-mail 
attachments  that  link  to  Web  pages  that  infect 
computers  with  malicious  code.  Spammers  steal 
data  or  take  control  over  the  infected  computer 
and  join  it  to  botnets  for  future  attacks. 

“We  see  over  5,000  new  malicious  Web  pages 
every  day,  and  most  of  them  are  linked  to  or 
from  a  spam  message,”  Cluley  says.  “The  Web 
sites  you  get  taken  to  are  not  necessarily  porn  or 
gambling.  Ninety  percent  of  them  are  legitimate 
Web  sites  that  have  been  hacked.  That,  again, 
fools  people  into  thinking  that  they’ve  received 
a  regular  e-mail.” 

Increasingly  spam  is  being  sent  by  organized 
crime  networks  rather  than  petty  crooks. 
Among  the  biggest  money  makers  for  spam¬ 
mers  are  selling  counterfeit  products,  pumping 
up  stocks,  stealing  personally  identifiable  infor¬ 
mation  and  other  scams. 

“Organized  crime  is  investing  in  advanced 
R&D  organizations  that  are  conducting  these 
attacks,”  de  Guerre  says.  “They  are  developing 
botnet  software,  and  they  are  developing  the 
ability  to  modify  images  so  that  each  image  sent 
in  an  e-mail  is  different.” 

Spam  is  more  international  than  it  was  when 
the  CAN-SPAM  Act  was  passed.  One  reason  the 
law  hasn’t  been  very  effective  is  because  it 
doesn’t  apply  to  spammers  in  other  countries. 

The  United  States  is  the  world’s  largest  spam¬ 
mer,  but  its  share  of  spam  has  dropped  dramati¬ 
cally  In  February  2004,  the  United  States  was 
responsible  for  56.7%  of  the  world’s  spam.Today, 


that  number  is  at  14.9%.  Next  in  line  as  top 
spammers  are  Russia, Turkey  and  China. 

Industry  observers  agree  that  spam  is  thriving 
in  the  post  CAN-SPAM  era. 

“Spam  is  continuing  to  escalate  as  opposed  to 
nearly  being  solved,”  de  Guerre  says.  “I  don’t 
think  that  spam  is  going  away  I  don’t  think  the 
attackers  are  struggling.  They  are  innovating  in 
the  types  of  attacks  they  are  able  to  send  and 
the  medium  they  use  to  send  them.” 

Experts  say  CAN-SPAM  could  be  improved 
but  that  it  still  wouldn’t  eradicate  spam  because 
no  law  can  eliminate  scams  or  prevent  people 
from  falling  for  them. 

‘As  long  as  spam  is  profitable  —  and  there  is 
no  question  that  it  is  —  and  as  long  as  people 
fall  for  spam,  then  we  are  going  to  have  people 
trying  to  do  it,”  Alperovitch  says.  “Fundament¬ 
ally  spam  is  a  people  problem.  As  long  as  peo¬ 
ple  are  willing  to  fall  for  the  allure  of  $1  mil¬ 
lion  that  they  may  have  won  in  a  lottery  . . . 
there  will  be  spam.” 

One  tweak  that  might  improve  CAN-SPAM  is 
to  mandate  opt-in  mechanisms  for  e-mail 
senders  instead  of  opt-out.  Opt-in  is  what  anti¬ 
spam  crusaders  originally  wanted  in  the  bill  but 
weren’t  able  to  get  because  of  opposition  from 
mass  e-mail  senders. 

“1  still  think  opt-in  is  the  way  it  should  work  for 
e-mail  rather  than  opt-out,”  Cluley  says.  “The 
direct-marketing  bodies  of  the  world  influenced 
the  law  against  the  consumer!’ 

That’s  why  such  antispam  crusaders  as  the 
Coalition  Against  Unsolicited  Commercial  E- 
Mail  warned  at  the  law’s  passage  that  it  would 
not  “stop  a  single  spam  from  being  sent.” 

“Some  folks,  including  myself,  criticized  CAN- 
SPAM  for  setting  a  fairly  low  threshold  of  what  is 
legitimate,”  Church  says.  “It  didn’t  have  opt-in, 
which  is  how  you  build  a  good  response  rate. 
The  CAN-SPAM  Act  doesn’t  focus  on  permis¬ 
sion.  As  long  as  you  clear  the  threshold, you  can 
send  as  much  mail  as  you  want  until  the  recipi- 

See  Spam,  page  34 


Skyrocketing  spam 

Despite  the  CAN-SPAM  Act,  the  amount  of  spam  sent  each  year  continues  to  skyrocket. 

AVERAGE  MONTHLY  GLOBAL  SPAM  VOLUMES  IN  BILLIONS 
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SEATTLE  SPAMMER  GETS 
47-MONTH  SENTENCE 

Losing  two  civil  antispam  lawsuits 
didn’t  deter  spam  king 

M  There’s  an  old  saying 
*  that  most  criminals  are 
t,/-  stupid.That's  certainly 

*  •  T®*!  true  of  Robert  Soloway| 
^*1  28,  who  was  sentenced 
to  nearly  four  years  in 
prison  in  July  2008  for  his  spamming 
activities.  Soloway  pleaded  guilty  to 
spamming,  fraud  and  tax  evasion. This 
was  the  third  time  Soloway  ended  up  in 
court  on  spam-related  charges.  Solowa^i 
lost  two  previous  lawsuits  —  filed  by 
Microsoft  and  an  Oklahoma  ISP  —  but 
kept  on  spamming. 


NOTORIOUS  STOCK  SPAMMING  TEAM 
GETS  NABBED  BY  INFORMANT  | 

Adam  Vitale  and  Todd  Moeller  serving 
two-plus  years  in  jail 

Bragging  about  their 
spamming  exploits  led  li 
to  the  downfall  of 
Adam  Vitale,  left,  and 
m  Todd  Moeller,  who  wer« 

arrested  by  the  Secret! 
Service  after  making  a  deal  to  send  illici: 
e-mails  for  a  government  informant. 
Vitale,  27,  was  sentenced  to  30  months  it 
prison  this  July  after  pleading  guilty  to 
several  counts  of  violating  the  CAN- 
SPAM  Act.  Moeller,  29,  pled  guilty  to 
e-mail  fraud  and  received  a  27-month 
prison  sentence  in  November  2007. 
Moeller  boasted  to  the  informant  that  he| 
made  as  much  as  $40,000  a  week  send¬ 
ing  out  spam,  particularly  pump-and- 
dump  stock  e-mails. 


VIRGINIA  SPAMMER  GETS  NINE-YEA 
PRISON  TERM  OVERTURNED 

Prolific  spammer  argues  free  speech  protection^1 
■B:  |  Convicted  spammer 
1  Jeremy  Jaynes,  34, 
nabbed  a  "get  out  of  jai 
“  free  card"  in  Sep¬ 
tember,  when  Virginia's 
high  court  ruled  that  th^ 
state’s  antispam  law  violated  the  First 
Amendment  right  to  free  speech.  Jaynes 
was  one  of  the  first  spammers  to  wind  up| 
behind  bars.  He  was  sentenced  to  nine 
years  in  federal  prison  in  2005  for  sendingl 
unsolicited  e-mail  to  tens  of  thousands  off 
AOL  subscribers.  Virginia  plans  to  appea 
the  decision. 
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THEN  NOW 


2003 

2008 

SPAM  CONTENT 

Annoying 

Malicious 

AVERAGE  DAILY  VOLUME  OF  SPAM 

15  B  (Radicati) 

164.1  B  (Cisco/lronPort) 

PERCENT  OF  E-MAIL  THAT  IS  SPAM 

45%  (Brightmail) 

96.5%  (Sophos) 

MONEY  SPENT  BATTLING  SPAM  ANNUALLY 

$20.5  B  (Radicati) 

$140  B  (Ferris) 

%  OF  USERS  PROTECTED  BY  SPAM  FILTERS 

62%  (Pew) 

71%  (Pew) 
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ent  asks  to  be  removed.” 

Another  improvement  would  be  requiring  a 
more  secure  method  of  unsubscribing.  Internet 
users  can’t  trust  current  unsubscribe  mecha¬ 
nisms  because  spammers  use  them  to  harvest 
e-mail  addresses. 

“Expanding  some  of  the  unsubscribe  notions 
of  the  law  to  incorporate  the  latest  develop¬ 
ments  around  secure  unsubscribe  or  safe 
unsubscribe  would  be  good  because  users 
can’t  trust  unsubscribe  in  the  message  itself,” de 
Guerre  says. 

Despite  its  flaws,  CAN-SPAM  shouldn’t  be 
changed, some  experts  say 

“The  act  itself  probably  doesn’t  need  a  lot  of 
overhauling,”  Church  says.“lt’s  doing  what  it  was 
intended  to  do,  which  is  to  create  some  base¬ 
line  standards.  Trying  to  create  more  granular 
details  or  adding  more  specifics  would  actually 
create  further  confusion  in  the  market.” 

Overall,  experts  remain  pessimistic  about  a 
legislative  solution  to  spam.  And  there  are  no 
current  proposals  in  Congress  to  update  or 
tweak  the  existing  CAN-SPAM  law. 

“1  don’t  believe  the  CAN-SPAM  Act  or  any  law 
would  be  of  relevance,”  Shine  says.  “With  the 
nature  of  the  Internet,  it’s  too  easy  to  move 
your  point  of  operations  away  from  anywhere 
you  could  be  in  trouble  legally  With  the 
advances  in  network  technology  and  the 
speeds  available  today  there’s  really  no  disad¬ 
vantage  of  doing  spam  from  the  Ukraine  and 
targeting  the  U.S.” 

Alperovitch  says  what’s  needed  is  not  more 
antispam  laws  but  more  money  for  law- 
enforcement  officials  to  tackle  cybercrime. 

“When  you  think  about  cybercrime  in  gener¬ 
al,  there  are  plenty  of  laws  on  the  books  that 
give  law-enforcement  agencies  the  ability  to 
go  after  criminals,”  Alperovitch  says.  “A  key 


problem  that  Congress  can  help  solve  is  giving 
more  resources  to  U.S.  attorneys  to  go  after 
cybercrime. That  is  the  most  urgent  thing.” 

For  now,  companies  and  users  must  battle 
spam  through  technology  experts  say 

“The  most  useful  thing  is  to  really  protect 
your  computer  with  up-to-date  antivirus,  fire¬ 
walls  and  security  packages  and  to  think  twice 
before  you  click,”  Cluley  says.  “But  as  long  as 
people  keep  making  dumb  decisions,  spam 
will  continue  to  happen.” 

One  noticeable  change  during  the  last  five 
years  is  that  network  managers  and  con¬ 
sumers  worry  less  about  spam. 

In  2003, 25%  of  Internet  users  said  spam  was 
a  big  problem  for  them,  according  to  the  Pew 
Internet  &  American  Life  Project.  By  2007,  that 
number  had  dropped  to  18%. 

The  main  reason  for  this  shift  is  that  con¬ 
sumers  are  accustomed  to  spam,  they  know 
what  to  do  about  it,  and  they  are  less  offended 
by  graphic  images  on  the  Internet. 

Also,  today’s  antispam  tools  are  improved, 
catching  anywhere  from  95%  to  98%  of  spam 
before  it  enters  ISP  or  corporate  networks. 

Spam  is  not  a  priority  for  our  CIO,  says  Tom 
Norman,  e-mail  administrator  at  Grand  Valley 
State  University  in  Allendale,  Mich.  “Our  spam 
filters  do  such  an  excellent  job  that  she  does¬ 
n’t  worry  about  it  at  all,”  Norman  says. 

In  March,  the  university  installed  software 
from  Proofpoint  that  checks  sender  IP  address¬ 


es,  message  headers,  sender  reputation  and 
other  features  to  block  incoming  spam.  As  a 
result,  Grand  Valley  State  University  reduced 
the  number  of  incoming  messages  it  receives 
each  day  from  2.5  million  to  500,000. 

“When  we  put  in  Proofpoint,  I  went  from 
being  the  campus  villain  to  the  campus  hero 
because  it  stopped  the  spam  overnight,” 
Norman  says.  He  says  he  spent  $15,000  on 
Proofpoint’s  software. 

When  it  comes  to  the  CAN-SPAM  Act, 
Norman  says  that  no  matter  what  laws  are 
passed  he  expects  to  always  be  playing  catch¬ 
up  with  regard  to  spam. 

“Five  years  ago,  we  didn’t  think  about  spam  at 
all.  We  just  let  it  come  in,  and  it  was  the  end 
user’s  responsibility  to  delete  the  stuff,” 
Norman  says.  “Then  it  got  to  the  point  that  it 
was  beyond  ridiculous  the  amount  of  staff 
time  that  spam  was  taking  up.” 

Concerns  about  user  productivity  and  com¬ 
plaints  about  pornographic  spam  led  Norman 
in  2003  to  buy  his  first  antispam  product. 

Today  Norman  sees  less  graphic  e-mail,  but  he 
sees  more  hyperlinks  and  hidden  messages. 
And  he  sees  a  much  larger  volume  of  spam. 

“I  miss  the  good  old  days  of  Viagra  and  sex 
aides  now  that  everything  is  so  malicious,” 
Norman  says.  “The  spammers  have  changed 
their  tool  kits  as  they  try  to  get  around  the 
existing  antispam  options.To  be  honest,  I  have 
worried  about  that.”  ■ 


Where  does  spam  come  from? 

E-mail  spam  is  almost  always  sent  from  innocent  third-party  computers  that  have  been  hijacked  by  hackers.  These  botnet  computers 
are  owned  by  innocent  parties,  who  are  unaware  that  cybercriminals  are  using  them  for  financial  gain.  Typically  they  are  home  users 
who  have  not  been  properly  protected  with  up-to-date  anti  virus  software,  firewalls  and  security  patches. 

Sophos  has  identified  the  top  12  countries  responsible  for  relaying  spam  across  the  globe: 

1  UNITED  STATES  14,9% 

2  RUSSIA  7,5% 

3  TURKEY  8,8% 

4  CHINA/HONG  KONG  5.6% 

5  BRAZIL  4,5% 

6  POLAND  3.6%  6  ITALY  3  6%  , 

7  SOUTH  KOREA  3.5% 

8  UNITED  KINGDOM  3.2%  8  SPAIN  3.2% 

9  GERMANY  3.0% 

10  ARGENTINA  2.9% 

OTHERS  37.7% 
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is  excellent  for  relaxing  and  the 
have  too  far  to  go  for  a  drink 


The  internet  provides  small  to  medium-sized 
businesses  great  opportunities  to  grow  by  opening 
their  offers  to  millions  of  web  users.  It's  especially 
important  to  build  trust  and  a  good  company  image 
in  order  to  succeed  on  the  web. 

Is  there  a  way  to  quickly  build  a  positive  online  reputation? 

Simply  give  your  satisfied  customers  the  ability  to  publish  feed¬ 
back  on  your  website!  RatePoint  is  a  leading  provider  of  online 
reputation  systems  and  will  ensure  customers  that  your  reviews 
are  credible  and  trustworthy. 

The  RatePoint  Site  Seal  gives  instant  visual 
feedback  to  visitors,  allowing  them  to  see  that 
your  business  is  credible,  safe  and  trustworthy. 
MMMikMiiS  With  one  click,  visitors  can  easily  read  reviews 
and  write  comments. 

In  the  event  that  you  do  receive  negative  feedback,  RatePoint 
automatically  uses  the  Dispute  Resolution  Tool  to  verify  the  review. 

It  offers  you  the  opportunity  to  resolve  the  issue  before  the  review 
is  viewable  on  your  site  and  gives  you  the  chance  to  improve  your 
customer  service  and  retain  more  customers. 

1&1  is  including  RatePoint  for  free  with  all  business 
hosting  packages!  So,  what  are  you  waiting  for? 


The  hotel  restaurant  tn 
stocked  with  fresh  his 
time  Tree  to  anyon 

enjoyed  our  stay 


Rote  &  Reuieui  » 


Reputation  is  Everything 


CONSUMER 

APPROVED 


RatePoint 


With  a  wide  variety  of  products  and  hosting  packages,  superior  data  center  technology,  excellent  reliability,  special 
offers,  great  prices  and  a  90-Day  Money  Back  Guarantee,  it's  no  wonder  customers  trust  1&1  as  their  web  host  company! 
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Success  Starts  with  a 


1&1  Business  Websif 


Limited  Time 
Offer! 


Let  customer 
feedback  work  foi 
your  business! 

[vfRatePointf 

Reputation  is  Everything 

FREE  for  the  life 
of  your  package!* 
Save  $215.40 
every  year. 


1&1 

Go  Daddy  Hostway 

BUSINESS 

PREMIUM 

STANDARD 

Included  Domain  Names 
(.com,  .net,  .org,  .info  or  .biz) 

3  Domains  FREE 

$  1.99/year 

$  7.95/year 

Web  Space 

250  GB 

300  GB 

150  GB 

Monthly  Transfer  Volume 

2,500  GB 

3,000  GB 

Unlimited 

Mailbox  Size 

2,000  MB 

1,000  MB 

75  MB 

RatePoint  Tools 

/ 

— 

— 

Website  Builder 

18  Pages 

Additional  $8.99/month 

y 

Marketing  Center 

/ 

y 

— 

Spreadshirt  Merchandising 

/ 

— 

— 

NEW  eZShop 

/ 

— 

— 

Graphic  Archive 

/ 

y 

/ 

E-mail  Marketing  Tool 

y 

— 

$7.99/month 

Premium  Software  Suite 

y 

— 

— 

Search  Engine  Submission 

y 

Extra  Charge  Applies 

— 

90-Day  Money  Back 
i  Guarantee 

y 

— 

— 

B  Support 

24/7  Toll-free  Phone, 
E-mail 

24/7  Phone, 

E-mail 

24/7  Toll-free  Phone, 
E-mail 

«  Price  Per  Month 

mmrn 

$Q  99 

$1499 

$21 95 

5fS«w< .  ~ 

LIMITED  TIME  OFFER: 


Domains 


** 


©  2008  1&1  Internet,  Inc.  All  rights  reserved. 

Visit  1and1.com  for  details.  Prices  based  on  comparable  Linux  web  hosting  package  prices,  effective  8/26/2008. 
*  Offer  valid  only  for  1&1  Business  and  Developer  web  hosting  packages,  Professional  and  Advanced  eShops, 
and  all  Managed  Servers.  For  full  promotional  offer  details,  visit  www.1and1.com.  Product  and  program 
specifications,  availability,  and  pricing  subject  to  change  without  notice. 

**  Offer  valid  for  .biz  only.  After  first  year,  standard  pricing  applies. 
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The  Original  Windows  based  Systems  Management  Appliance 

Ready  Set  Manage 

M  S 

Up  and  Running  in  Under  I  Hour i 

Altiris  Appliance  allows  you  to  Remotely  Deploy,  Manage,  Track  and 
Troubleshoot  client  systems  from  a  single  web-based  management  console. 


i-J-ij/is  Appliance 


'^  Comprehensive  Inventory 
/  Deploy  “Ghost*  Images 
’/Distribute  Software 
/'Monitor  Application  Usage 
/Patch  Delivery 
/  Power  Management 
/  Remote  Control 
/  Reporting  and  More-, 


^  Symantec. 

Altiris  Solutions 

PlATtNUtf  PtKHtiK 


AltirisAppliance.com 
sales  @  altirisappliance.com 


866-638-9462 


SAVE  THE  DATE! 

Mark  your  calendar  to  attend... 


COMING  TO  A  CITY  NEAR  YOU 


IT  ROADMAP  IN  ’08! 


INTERESTED  IN  ATTENDING?  INTERESTED  IN  SPONSORING? 


www.netwopkworld.com/ltp2008 


— 


Search 
of  Text 
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Search  Te  r  a  byt  esof  Text 


♦  over  two  dozen  indexed,  unindexed,  fielded  data  and  full-text  search  options 

♦  supports  hundreds  of  international  languages 

♦  file  parsers  /  converters  for  hit-highlighted  display  of  all  popular  file  types 


♦  Spider  supports  static  and  dynamic  web  data;  highlights  hits  while  displaying 
links,  formatting  and  Images  intact 

♦  API  supports  .NET,  C++,  Java,  SQL,  etc.  New  .NET  Spider  API 


The  Smart  Choice  for  Text  Retrieval®  since  1991 


♦  "Bottom  line:  dtSearch  manages  a  terabyte  of  text  in  a  single  index 

and  returns  results  in  less  than  a  second"  -  InfoWorld 

♦  "For  combing  through  large  amounts  of  data,"  dtSearch  "leads  the  market" 

-  Network  Computing 

♦  dtSearch  "covers  all  data  sources  ...  powerful  Web-based  engines"  -  eWEEK 

♦  dtSearch  "searches  at  blazing  speeds"  -  Computer  Reseller  News  Test  Center 


See  www.dtsearch.com  for  hundreds  more  reviews, 
and  hundreds  of  developer  case  studies 


mum  "iwiipujiwiiui  m  jlrmjwmhh  liii  l  juium  iiwillWrTIWilBlllllIBBIMBBBBBBMMDWBBIMiMMMMMBi 

Contact  dtSearch  for  fully-functional  evaluations 


1-800-IT-FINDS  •  www.dtsearch.com 


Gain  flexibility  with  the 


nTft. 

RVTlTHr  iniiihflHHaHHHl 

v.?j» 

-  “fr 

Efficiently  aggregate  full-duplex  data  into  your  analysis  or  security  device. 

•  Supports  1 0/1 00/1 000  Buffer  options: 

•  Stream  into  two  different  devices  256  MB . $1,295 

•  Rack  mount  up  to  three  across  qin/iR . <17qi; 

•  Supports  all  commercial  analysis  systems  5  . *  '  50 

•  Also  works  with  open-source  tools  Eldttl  1  6B . $2,195 

Learn  more.  Visit  www.networkTAPs.com 

m  T  A  p™ 


Choose  from  a  variety  of  configurations,  options,  and  pricing.  Plus  a 
complete  line  of  copper  and  optical  nTAPs  for  full-duplex  analyzer  systems. 
Free  overnight  delivery* 

www.networkTAFs.com  •  1-866-GET-nTAP 


C€ 


'  x  ‘Free  overnight  delivery  on  all  U.S.  orders  over  $295  confirmed  before  12  p.m.  Central  Time. 
©  2008  Network  Instruments,  LLC  nTAP  and  all  associated  logos  are  trademarks  or  registered  trademarks  of  Network  Instruments,  LLC. 


Server  Room 
Climate  &  Power 
Monitoring 


Built-in  Web  Interface 
Temperature  &  Humidify 
Power  over  Ethernet  Enabled 
E-mail  Alarms  &  Escalations 
SNMP,  XML,  HTTP,  HTTPS 
Optional  IP  Web  Cams 


MiiroGoose 


Receive  our  FREE  BOOK 


FreeBook@iTVvatchDogs.com 

with  your  mailing  address 
or  call  us  at  512-257-1462 
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IPv6  Training .  Be  Prepared . 

Let  Command  Information  and  our  Command 

University  give  you  the  IPv6  training  you  need. 

>  It  is  the  ONLY  training  facility  in  North  America 
dedicated  solely  to  IPv6 

>  Instructor-led  with  Hands-on  labs 

*  Classes  address  both  government  and  corporate 
IPv6  issues 

>  Open  Enrollment,  Custom  and  Onsite  classes 

>  New  "Hacking  and  Defending  IPv6"  class  is 
focused  on  real  world  examples  of  testing  and 
defending  v6  networks 


Get  the  IPv6  edge.  To  view  our  fall  schedule,  go  to 
www.commandinformation.com/labs/catalogue  or 
call  866.456. IPv6  [4786]. 


G 


commRND 
INFORIT1R  TION 


The  Model  135  Site  Monitor  is  designed  to  serve  as  your 
"resource  kit”  for  monitoring  and  maintaining  computer, 
communications,  and  specialized  equipment  locations. 
With  a  wide  range  of  built-in  capabilities,  it’s  easy  to 
tailor  a  powerful  site-specific  solution. 

Highlights  include  10/100  Ethernet  and  analog  modem 
connectivity,  serial  port  access  and  text  data  "matching, 
AC  and  DC  voltage  monitoring,  ping  testing,  and  contact 
closure  inputs  and  outputs.  And  the  web-based  interface 
makes  setup  and  use  a  straight-forward  process. 

For  complete  details  on  the  Model  135,  give  us  a  call 
or  visit  www.gkinc.com. 


Gordon  Kapes,  Inc. 

Skokie,  IL  USA  |  Ph  847-676-1750  I  www.gkinc.com 


NEWS  ANALYSIS 


WiMAX 

continued  from  page  1 

what  high-speed  mobile  broadband  services 
will  look  like.  One  of  the  most  striking  exam¬ 
ples  came  from  Nokia  Siemens  Networks, 
which  mounted  a  Nokia  N810  Internet  appli¬ 
ance  near  the  dashboard  of  a  car.  Because 
WiMAX  networks  can  cover  several  miles,  a 
user  could  drive  around  a  city  and  have  un¬ 
interrupted  high-speed  Web  connectivity 
throughout  the  trip. 

Other  devices  on  display  included  a  WiMAX 
femtocell  developed  by  Australia’s  Juni  that 
converts  cellular  signals  into  WiMAX  IP  traffic; 
a  mobile  WiMAX  express  card  from  Samsung 
that  can  plug  into  a  PC  and  connect  to  Sprint 
Xohm’s  WiMAX  services;  and  assorted  smart¬ 
phones,  ultramobile  PCs,  base  stations  and 
antennae. 

In  total,  the  WiMAX  Forum  registered  480 
devices  to  more  than  80  vendors;  and  the  wide 
diversity  of  devices  and  applications  showed 
that  vendors  and  carriers  are  enthusiastic 
about  innovating  to  take  advantage  of  WiMAX 
connectivity  Resnick  said. 

Proponents  call  WiMAX  a  faster  and  more 
secure  alternative  to  Wi-Fi,  as  well  as  a  viable 
competitor  to  wireline  offerings,  such  as  cable 
and  DSL  services. 

Barry  West,  president  of  Sprint’s  Xohm  busi¬ 
ness  unit,  went  further  and  called  last  Monday 
“an  historic  day”  for  the  telecom  industry  in 
light  of  the  Xohm  service  debut. 

Backers  of  the  technology  were  enthusiastic 
at  WiMAX  World,  though  many  speakers  point¬ 
edly  downplayed  any  competition  between 
WiMAX  and  its  cellular  rivals  in  the  mobile 
data  market.  Rather,  they  said  WiMAX  could 
complement  such  current  3G  cellular  data 
standards  as  Evolution  Data  Optimized  and 
High  Speed  Packet  Access. 


The  Siemens  Gigaset  SZ682,  a  WiMAX 
VoIP  modem  that  brings  WiMAX  VoIP 
capabilities  to  traditional  analog 

phones. 


A  Samsung  Ultramobile  PC  SPG  P9200, 
one  of  the  many  WiMAX-enabled 
mobile  computers  and  devices  on  dis¬ 
play  at  WiMAX  World. 


“WiMAX  has  no  interest  in  replacing  cellular 
voice  networks,”WiMALX  Forum’s  Resnick  said. 
“WiMAX’s  network  will  coexist  with  mobile 
voice  networks  to  deliver  next-generation  net¬ 
works  that  will  complement  what  they’re 
doing  today!’ 

Ben  Wolff,  CEO  of  Sprint  WiMAX  partner 
Clearwire,  echoed  that  theme  and  said  “peo¬ 
ple  are  getting  lost  in  debate  over  which  tech¬ 
nology  is  best,”  when  they  really  should  be 
talking  about  developing  a  business  plan 
“that  allows  us  to  deliver  all  the  Internet  has 
to  offer  in  the  palm  of  your  hand,  and  about 
having  a  new  type  of  network  architecture 
that  is  all  IP-based.” 

So,  if  WiMAX  devices  and  services  won’t  be 
going  head-to-head  with  carriers’  cell-based 
data  standards,  it’s  fair  to  ask  exactly  what 
WiMAX  brings  to  the  table.  The  short-term 
answer  appears  to  be  the  fastest  wireless 
data  standard  available  until  the  GSM-based 
Long  Term  Evolution  arrives  two  or  more 
years  from  now. 

In  the  long  term,  WiMAX  could  be  a  major 
player  in  bringing  broadband  to  rural  and  de¬ 
veloping  areas.  Sprint  is  initially  focusing  on 
big  cities,  with  Washington,  D.C.,  and  Chicago 
also  in  its  rollout  plan  for  this  year;  but  the 
company  is  working  with  its  partners  in  the 
Clearwire  coalition  to  build  out  a  nationwide 
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The  Siemens  Gigaset  SE68  WiMAX 
express  card,  which  can  be  plugged 
into  a  PC  for  instant  WiMAX  access. 


WiMAX  network  that  will  cover  both  urban 
and  rural  areas. 

As  for  the  details  of  Sprints  immediate  Xohm 
offering,  customers  will  connect  to  the  net¬ 
work  for  a  single  monthly  charge  that  will 
cover  multiple  devices  for  every  user.  They 
have  the  option  of  paying  $25  a  month  for 
home  wireless  Internet  service;  $30  a  month 
for  an  “on-the-go”  service  that  will  give  them 
access  to  data  wherever  WiMAX  is  available;  or 
$50  a  month  for  a  service  that  covers  two 
WiMAX  devices.  Users  who  don’t  wish  to  sub¬ 
scribe  to  the  service  can  purchase  $10  “day 
passes”  that  will  give  them  temporary  access  to 
the  high-speed  wireless  network. 

Sprint  says  customers  who  want  to  connect 
their  PCs  to  the  WiMAX  network  can  purchase 
Xohm-branded  Samsung  Express  air  cards  for 
roughly  $60  and  ZyXEL  Communications 
modems  for  about  $80  from  either  Xohm’s 
Web  site  or  select  local  retailers.  Sprint  also 
says  it  expects  more  WiMAX  devices  to  be  on 
sale  by  year-end. 

Industry  watchers,  such  as  Forrester  Re¬ 
search  and  Gartner,  are  keeping  a  close  eye  on 
Sprint’s  efforts, suggesting  in  recent  reports  that 
corporations  hold  off  on  WiMAX  deployments 
until  services  and  equipment  are  more  widely 
available.  Not  that  the  Sprint-Clearwire  part¬ 
nership  is  the  only  game  in  town:  Smaller  busi¬ 
nesses  dubbed  WiMAX  ISPs  are  offering  ser¬ 
vices  to  business  customers  over  a  mix  of  unli¬ 
censed  and  other  frequencies.  ■ 
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Palin  and  politics 

You  had  some  interesting  responses  to  last 
week’s  Backspin  on  Palin’s  e-mail  woes. 
Quick  recap:  Republican  vice  presidential 
candidate  Sarah  Palin  had  her  Yahoo  e-mail 
account  broken  into  using  some  basic  social 
engineering  techniques,  and  some  of  the  con¬ 
tents  were  subsequently  published. 

What  I  didn’t  have  space  to  go  into  last  week 
was  why  these  idiots  broke  into  her  account  in 
the  first  place:  According  to  Wikileaks,  where  the  news  broke  on 
Sept.  16,  the  attackers  are  from  an  Internet  activist  group  called  “anony¬ 
mous”  (how  creative  is  that?)  and  they  did  it  because  they  believed 
media  comments  that  Palin  had  used  “pseudo-private  e-mail  accounts 
to  avoid  Alaskan  freedom  of  information  laws.” 

Regarding  my  charge  that  Palin  was  naive  when  it  came  to  email, 
reader  George  Holowko  said,“l  don’t  feel  this  demonstrates  naivety  but, 
rather,  it  places  Palin  in  the  same  league  as  most  Americans,  and  NOT 
some  kind  of  elitist  group  that  expects  or  requires  special  treatment.” 

I  was  using  “naive”  in  the  literal  sense  of  “not  knowing,”  but  I  find  it 
surprising  that  apparently  the  entire  Republican  Party  couldn’t  think 
through  these  kinds  of  issues.  And  isn’t  it  the  case  that  running  for  the 
post  of  vice  president  is,  de  facto,  elitist? 

Reader  Matthew  Lazarow  said, “given  the  position  that  Palin  is  trying 
to  obtain  you  would  definitely  think  she  would  have  access  to  some¬ 
one  in  the  ‘Czech  Republic’  to  tell  her  which  mushrooms  are  good  and 
which  ones  are  not.”  Indeed. Why  is  there  no  equivalent  of  Karl  Rove 
managing  their  technology  strategy?  Isn’t  that  a  serious  oversight? 

Reader  Bailey  Edward  agreed  that  breaking  into  Palin’s  e-mail  was 
wrong  and  commented:“I  would  have  loved  to  have  seen  what  some¬ 
one  would  have  done  if  a  Democrat’s  e-mail  was  cracked  and  stuff  was 
leaked.  I  bet  there  would  be  a  huge  investigation  and  it  would  have 
been  labeled  a  ‘hack.’” 

This  was,  in  fact,  labeled  by  most  of  the  press  as  a  hack.  I  didn’t  think 
it  deserved  that  label  because  it  was  so  simplistic.  But  let’s  not  assume 


Lots  to  talk  about 

the  powers-that-be  didn’t  step  in  because  after  all,  the  issue  did 
quickly  sink  out  of  sight.  Given  the  leaked  messages  indicate  Palin 
was,  in  fact,  using  private  e-mail  services  to  avoid  Alaska’s  freedom  of 
information  act,  having  the  issue  disappear  like  the  Cheshire  Cat  is  a 
very  good  outcome. 

But  hold  hard,  my  friends!  I  can  hear  some  of  you  muttering, “He’s  get¬ 
ting  political.  Again.  How  dare  he!  This  is  a  technology  publication.” 

When  will  you  people  get  it?  IT  is  the  foundation  of  all  American 
business  and  it  is  therefore  intrinsically  political!  You  doubt  this? 

As  an  example,  consider  that  last  March  Rep. Tim  Couch  (R-Ken.) 
attempted  to  get  a  bill  passed,  HB775,  in  his  state  that  would  “require 
registration  prior  to  posting  information  to  these  interactive  services; 
identify  persons,  businesses,  or  entities  that  post  information  to  these 
interactive  services  [and]  establish  penalty  provisions.” 

The  penalties  proposed  were  $500  for  the  first  offense  and  $1,000  for 
each  subsequent  offense.  Honestly  I  am  not  making  this  up. 

It  doesn’t  take  a  legal  genius  to  figure  out  that  this  bill  would  have 
violated  the  First  Amendment  —  indeed,  would  have  stomped  all  over 
it  in  jackboots.  Couch  even  admitted  that  the  bill  was  “probably  uncon¬ 
stitutional”,  claimed  he  had  proposed  it  to  raise  awareness  about 
Internet  bullying,  and  said, “The  state  can  try  to  pass  some  rules,  but  I 
don’t  really  think  it  would  do  anything.”  (I  love  his  implying  “the  state” 
was  driving  the  bill  and  not  him.) 

If  that  isn’t  a  great  example  of  the  politicizing  of  IT  I  don’t  know 
what  is.  Couch  unscrupulously  used  IT  and  the  political  process  to 
further  his  own  agenda  knowing  from  the  outset  that  the  bill  was  a 
non-starter! 

There  is  no  end  of  examples  of  the  politicization  of  information 
technology  and  IT  will  only  become  a  more  central  part  of  the  issues 
that  face  us  over  the  next  four  years  and  beyond. 

You  and  I,  we’re  going  to  have  lot  to  talk  about. 

Gibbs  is  definitely  loquacious  in  Ventura,  Calif.  Speak  up  to  back- 
spin@gibbs.com. 


BACKSPIN 


Mark  Gibbs 


Airport  ‘X-ray  art’  courts  TSA  trouble 


Techno-artist/open  source  developer  Evan 
Roth  has  a  message  for  the  Transportation 
Safety  Administration  —  several  mes¬ 
sages,  actually  —  about  what  he  considers 
excessive  airport  security  “theater.”  He  also  has 
chosen  an  intentionally  provocative  method  of 
delivering  those  messages:  the  TSAs  own  X-ray 
screening  machines. 

Here’s  Roth’s  plan,  which  he  calls  “TSA 
Communication”  and  tells  me  has  already 
made  it  successfully  through  three  trial  airport  runs:  Take  a  metal 
plate,  stencil  and  cut  out  a  message  —  words  or  an  image  —  place 
the  plate  at  the  bottom  of  your  carry-on  bag,  and  watch  what  happens 
as  the  TSA  employee  operating  the  airport  X-ray  machine  notices  ...  or 
doesn’t  notice. 

The  cut-out  images,  which  could  be  anything,  currently  range  from 
the  benign  (an  American  flag)  to  the  smart-alecky  (“Nothing  to  see 
here”)  to  what  some  might  find  offensive  and  a  TSA  agent  somewhere 
is  bound  to  cause  a  fuss  over:  a  silhouette  of  a  box  cutter,  which  Roth 
calls  “the  exact  opposite  of  a  box  cutter.” 

Best  known  for  co-founding  the  Graffiti  Research  Lab  —  “Dedicated 
to  outfitting  graffiti  artists  with  open  source  technologies  for  urban 
communication”  —  Roth  and  1  have  been  swapping  e-mail  about  his 
TSA  project.  I’ve  also  consulted  an  expert  on  airport  security  screen¬ 
ing  to  get  that  point  of  view.  Roth  first,  then  the  expert: 

Are  you  serious  about  doing  this? 

“So  far  I  have  traveled  with  the  plates  three  times  (I’m  actually 


answering  these  questions  in  the  Hong  Kong  airport,  having  just 
passed  security  20  minutes  ago)  and  I  plan  to  continue  doing  so. 

“I  fly  all  the  time,  and  a  big  part  of  doing  this  project  is  simply  so  I 
have  something  to  look  forward  to  when  1  go  to  the  airport.  I  hate  fly¬ 
ing,  1  hate  airports,  I  hate  security  I  hate  wasting  time,  and  most  of  all  I 
hate  being  forced  to  play  a  role  in  the  theater  of  security 

“Of  course  having  to  take  off  my  shoes  and  throw  out  my  4-ounce 
Jell-0  isn’t  the  end  of  the  world,  but  by  passively  going  along  with  it  1 
feel  as  if  I  am  agreeing  to  take  part  in  the  ruse.  Taking  off  my  belt  is 
not  going  to  make  flying  any  safer. ...  I  would  rather  go  through  the 
dance  of  airport  security  as  an  active  participant  rather  than  a  passive 
one.” 

Are  you  at  all  concerned  about  the  obvious  risks  associated  with 
joking  with  airport  security? 

“Legally  I  don’t  think  I’m  breaking  any  laws  by  carrying  the  plates 
in  my  carry-on  bag.  I’ve  read  theTSA’s  list  of  prohibited  items,  and 
while  a  4-ounce  container  of  yogurt  might  pose  some  problems,  “TSA 
Communication  Plates”  aren’t  currently  on  the  list.  I  would,  however, 
consider  it  my  crowning  achievement  as  an  artist  if  they  added  “TSA 
Communication  Plates”  to  their  list  of  prohibited  items  (I’m  not  hold¬ 
ing  my  breath). 

“And  while  there  is  a  certain  amount  of  humor  in  the  project,  I 
wouldn’t  be  doing  this  if  it  was  only  intended  simply  as  a  joke.” 

Are  you  concerned  about  what  others  might  do  if  your  idea  catches 
on? 

“I  am  excited  by  what  others  might  do  if  this  catches  on.  I  think  if  we 

See  Net  Buzz,  page  17 
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